3 matches found
BIT-GHOST-2026-53949 Ghost Content API filter bypass reveals private fields
Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private fields via a brute force attack. If SQLite was used as the database password hashes were fully...
CVE-2026-53949
Summary (CVE-2026-53949) Ghost CMS (Node.js). Affected versions: 5.46.1–6.21.2. Description: validation on filters for public API endpoints could be partially bypassed, enabling disclosure of private fields via brute-force. Impact depends on database: with SQLite, password hashes were fully acces...
PT-2026-20787
Name of the Vulnerable Software and Affected Versions Ghost versions 3.24.0 through 6.19.0 Description A blind SQL injection exists in the Content API of Ghost, a Node.js content management system. The issue stems from the use of string concatenation instead of parameterized queries when processi...