VYPR
Low severity2.7NVD Advisory· Published Jan 10, 2026· Updated Apr 29, 2026

CVE-2026-22597

CVE-2026-22597

Description

Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ghostnpm
>= 6.0.0, < 6.11.06.11.0
ghostnpm
>= 5.105.0, < 5.130.65.130.6

Affected products

3
  • cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*
    Range: >=5.38.0,<5.130.6
  • osv-coords2 versions
    >= 5.38.0, < 5.130.6+ 1 more
    • (no CPE)range: >= 5.38.0, < 5.130.6
    • (no CPE)range: >= 6.0.0, < 6.11.0

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.