VYPR
High severityNVD Advisory· Published Mar 7, 2026· Updated Mar 9, 2026

Ghost: Incomplete CSRF protections around OTC use

CVE-2026-29784

Description

Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ghostnpm
>= 5.101.6, < 6.19.36.19.3

Affected products

3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.