VYPR

Ghost

by Tryghost

npm: ghost

Source repositories

CVEs (41)

  • CVE-2026-26980CriFeb 20, 2026
    risk 0.63cvss 9.4epss 0.70

    Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

  • CVE-2024-34559HigMay 14, 2024
    risk 0.49cvss 7.5epss 0.01

    Insertion of Sensitive Information into Log File vulnerability in Ghost Foundation Ghost.This issue affects Ghost: from n/a through 1.4.0.

  • CVE-2025-9992MedSep 18, 2025
    risk 0.35cvss 6.4epss 0.00

    The Ghost Kit – Page Builder Blocks, Motion Effects & Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS field in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it…

  • CVE-2025-54142MedAug 29, 2025
    risk 0.26cvss 4.0epss 0.00

    Akamai Ghost before 2025-07-21 allows HTTP Request Smuggling via an OPTIONS request that has an entity body, because there can be a subsequent request within the persistent connection between an Akamai proxy server and an origin server, if the origin server violates certain…

  • CVE-2025-32094MedAug 7, 2025
    risk 0.26cvss 4.0epss 0.01

    An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26. Under certain circumstances, a client making an HTTP/1.x OPTIONS request with an "Expect: 100-continue" header, and using obsolete line folding, can lead to a discrepancy in how two…

  • CVE-2026-22597LowJan 10, 2026
    risk 0.11cvss 2.7epss 0.00

    Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from…

  • CVE-2024-23724Feb 11, 2024
    risk 0.03cvss epss 0.03

    Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The…

  • CVE-2023-40028Aug 15, 2023
    risk 0.01cvss epss 0.58

    Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site…

  • CVE-2022-41697Dec 23, 2022
    risk 0.01cvss epss 0.20

    A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability.

  • CVE-2026-53943Jun 24, 2026
    risk 0.00cvss epss 0.00

    Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared caching layer that results in cached content being shared between different visitors, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend…

  • CVE-2026-53945Jun 24, 2026
    risk 0.00cvss epss 0.00

    Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks through features that issue…

  • CVE-2026-53946Jun 24, 2026
    risk 0.00cvss epss 0.00

    Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, when re-rendering posts, Ghost would refetch missing image dimensions by issuing an outbound HTTP request to the URL stored on an image card — without restricting that URL to trusted image hosts. An…

  • CVE-2026-53947Jun 24, 2026
    risk 0.00cvss epss 0.00

    Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This…

  • CVE-2026-53948Jun 24, 2026
    risk 0.00cvss epss 0.00

    Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage…

  • CVE-2026-53949Jun 24, 2026
    risk 0.00cvss epss 0.00

    Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private fields via a brute force attack. If SQLite was used as the database password…

  • CVE-2026-29784Mar 7, 2026
    risk 0.00cvss epss 0.00

    Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to…

  • CVE-2026-29053Mar 5, 2026
    risk 0.00cvss epss 0.00

    Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.

  • CVE-2026-24778Jan 27, 2026
    risk 0.00cvss epss 0.00

    Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's…

  • CVE-2026-22596Jan 10, 2026
    risk 0.00cvss epss 0.00

    Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has…

  • CVE-2026-22595Jan 10, 2026
    risk 0.00cvss epss 0.00

    Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session…

Page 1 of 3