High severityNVD Advisory· Published Mar 5, 2026· Updated Mar 5, 2026

Ghost Vulnerable to Remote Code Execution via Malicious Themes

CVE-2026-29053

Description

Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ghostnpm	>= 0.7.2, < 6.19.1	6.19.1

Affected products

Tryghost/Ghostv5
Range: >= 0.7.2, < 6.19.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-cgc2-rcrh-qr5xghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-29053ghsaADVISORY
github.com/TryGhost/Ghost/security/advisories/GHSA-cgc2-rcrh-qr5xghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000