High severityNVD Advisory· Published Mar 7, 2026· Updated Mar 9, 2026
Ghost: Incomplete CSRF protections around OTC use
CVE-2026-29784
Description
Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ghostnpm | >= 5.101.6, < 6.19.3 | 6.19.3 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-9m84-wc28-w895ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29784ghsaADVISORY
- github.com/TryGhost/Ghost/commit/ec065a774fa125953d2aa644a59cd8990329e0a0ghsax_refsource_MISCWEB
- github.com/TryGhost/Ghost/security/advisories/GHSA-9m84-wc28-w895ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.