11 matches found
CVE-2026-22597
Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF...
Incorrect Authorization
Overview ghost is a publishing platform Affected versions of this package are vulnerable to Incorrect Authorization via improper handling of authentication for endpoints intended for Staff Session access. An attacker can gain unauthorized access to restricted endpoints by using Staff Tokens...
CVE-2026-22596
Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in...
CVE-2026-22595
Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. Externa...
CVE-2026-22597 Ghost has SSRF via External Media Inliner
Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF...
CVE-2026-22596
CVE-2026-22596 affects Ghost, a Node.js CMS. A SQL injection flaw exists in Ghost’s /ghost/api/admin/members/events endpoint due to insufficient input validation, exploitable by users with Admin API credentials. Affected versions: 5.90.0–5.130.5 and 6.0.0–6.10.3. The issue allows arbitrary SQL ex...
CVE-2026-22596 Ghost has SQL Injection in Members Activity Feed
Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in...
CVE-2026-22595 Ghost has Staff Token permission bypass
Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. Externa...
CVE-2026-22595 Ghost has Staff Token permission bypass
Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. Externa...
PT-2026-2218
Name of the Vulnerable Software and Affected Versions Ghost versions 5.90.0 through 5.130.5 Ghost versions 6.0.0 through 6.10.3 Description Ghost is a Node.js content management system. A flaw in the /ghost/api/admin/members/events API endpoint permits authenticated Admin API users to execute...
GHSA-GJRP-XGMH-X9QQ Ghost has SQL Injection in Members Activity Feed
Impact A vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. Vulnerable versions This vulnerability is present in Ghost v5.90.0 to v5.130.5 to and Ghost v6.0.0 to v6.10.3. Patches v5.130.6 and...