Unrated severityNVD Advisory· Published Jun 24, 2026· Updated Jun 24, 2026
@tryghost/activitypub: XSS in Ghost's ActivityPub client
CVE-2026-53950
Description
@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <3.1.0
Patches
Vulnerability mechanics
References
1- github.com/TryGhost/Ghost/security/advisories/GHSA-xpp7-93x6-v29mmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.