npm package
ghost
pkg:npm/ghost
Vulnerabilities (21)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-29784 | — | >= 5.101.6, < 6.19.3 | 6.19.3 | Mar 7, 2026 | Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to | ||
| CVE-2026-29053 | — | >= 0.7.2, < 6.19.1 | 6.19.1 | Mar 5, 2026 | Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1. | ||
| CVE-2026-26980 | — | >= 3.24.0, < 6.19.1 | 6.19.1 | Feb 20, 2026 | Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1. | ||
| CVE-2026-24778 | — | >= 5.43.0, < 5.121.0 | 5.121.0 | Jan 27, 2026 | Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permission | ||
| CVE-2026-22597 | Low | 2.7 | >= 6.0.0, < 6.11.0 | 6.11.0 | Jan 10, 2026 | Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal | |
| CVE-2026-22596 | — | >= 6.0.0, < 6.11.0 | 6.11.0 | Jan 10, 2026 | Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has b | ||
| CVE-2026-22595 | — | >= 6.0.0, < 6.11.0 | 6.11.0 | Jan 10, 2026 | Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authen | ||
| CVE-2026-22594 | — | >= 6.0.0, < 6.11.0 | 6.11.0 | Jan 10, 2026 | Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0. | ||
| CVE-2025-9862 | — | >= 6.0.0, < 6.0.9 | 6.0.9 | Sep 17, 2025 | Server-Side Request Forgery (SSRF) vulnerability in Ghost allows an attacker to access internal resources.This issue affects Ghost: from 6.0.0 through 6.0.8, from 5.99.0 through 5.130.3. | ||
| CVE-2024-43409 | — | >= 4.46.0, < 5.89.5 | 5.89.5 | Aug 20, 2024 | Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a | ||
| CVE-2024-23724 | — | <= 5.76.0 | — | Feb 11, 2024 | Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor | ||
| CVE-2024-23725 | — | < 5.76.0 | 5.76.0 | Jan 21, 2024 | Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries. | ||
| CVE-2023-40028 | — | < 5.59.1 | 5.59.1 | Aug 15, 2023 | Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site ad | ||
| CVE-2023-31133 | — | < 5.46.1 | 5.46.1 | May 8, 2023 | Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fiel | ||
| CVE-2023-32235 | — | < 5.42.1 | 5.42.1 | May 5, 2023 | Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js. | ||
| CVE-2022-41654 | — | >= 5.0.0, < 5.22.7 | 5.22.7 | Dec 23, 2022 | An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability. | ||
| CVE-2022-28397 | — | <= 4.42.0 | — | Apr 12, 2022 | An arbitrary file upload vulnerability in the file upload module of Ghost CMS v4.42.0 allows attackers to execute arbitrary code via a crafted file. NOTE: Vendor states as detailed in Ghost's security documentation, files can only be uploaded and published by trusted users, this | ||
| CVE-2022-27139 | — | <= 4.39.0 | — | Apr 12, 2022 | An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary code via a crafted SVG file. NOTE: Vendor states that as outlined in Ghost's security documentation, upload of SVGs is only possible by trusted authenticated us | ||
| CVE-2021-39192 | — | >= 4.0.0, < 4.10.0 | 4.10.0 | Sep 3, 2021 | Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escal | ||
| CVE-2021-29484 | — | >= 4.0.0, < 4.3.3 | 4.3.3 | Apr 29, 2021 | Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter |
- CVE-2026-29784Mar 7, 2026affected >= 5.101.6, < 6.19.3fixed 6.19.3
Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to
- CVE-2026-29053Mar 5, 2026affected >= 0.7.2, < 6.19.1fixed 6.19.1
Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.
- CVE-2026-26980Feb 20, 2026affected >= 3.24.0, < 6.19.1fixed 6.19.1
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
- CVE-2026-24778Jan 27, 2026affected >= 5.43.0, < 5.121.0fixed 5.121.0
Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permission
- affected >= 6.0.0, < 6.11.0fixed 6.11.0
Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal
- CVE-2026-22596Jan 10, 2026affected >= 6.0.0, < 6.11.0fixed 6.11.0
Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has b
- CVE-2026-22595Jan 10, 2026affected >= 6.0.0, < 6.11.0fixed 6.11.0
Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authen
- CVE-2026-22594Jan 10, 2026affected >= 6.0.0, < 6.11.0fixed 6.11.0
Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0.
- CVE-2025-9862Sep 17, 2025affected >= 6.0.0, < 6.0.9fixed 6.0.9
Server-Side Request Forgery (SSRF) vulnerability in Ghost allows an attacker to access internal resources.This issue affects Ghost: from 6.0.0 through 6.0.8, from 5.99.0 through 5.130.3.
- CVE-2024-43409Aug 20, 2024affected >= 4.46.0, < 5.89.5fixed 5.89.5
Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a
- CVE-2024-23724Feb 11, 2024affected <= 5.76.0
Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor
- CVE-2024-23725Jan 21, 2024affected < 5.76.0fixed 5.76.0
Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries.
- CVE-2023-40028Aug 15, 2023affected < 5.59.1fixed 5.59.1
Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site ad
- CVE-2023-31133May 8, 2023affected < 5.46.1fixed 5.46.1
Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fiel
- CVE-2023-32235May 5, 2023affected < 5.42.1fixed 5.42.1
Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.
- CVE-2022-41654Dec 23, 2022affected >= 5.0.0, < 5.22.7fixed 5.22.7
An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.
- CVE-2022-28397Apr 12, 2022affected <= 4.42.0
An arbitrary file upload vulnerability in the file upload module of Ghost CMS v4.42.0 allows attackers to execute arbitrary code via a crafted file. NOTE: Vendor states as detailed in Ghost's security documentation, files can only be uploaded and published by trusted users, this
- CVE-2022-27139Apr 12, 2022affected <= 4.39.0
An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary code via a crafted SVG file. NOTE: Vendor states that as outlined in Ghost's security documentation, upload of SVGs is only possible by trusted authenticated us
- CVE-2021-39192Sep 3, 2021affected >= 4.0.0, < 4.10.0fixed 4.10.0
Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escal
- CVE-2021-29484Apr 29, 2021affected >= 4.0.0, < 4.3.3fixed 4.3.3
Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter
Page 1 of 2