Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview ghost is a publishing platform Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection'. An attacker can execute arbitrary code on the server by submitting a specially crafted malicious theme...

Cross-site Request Forgery (CSRF)

Overview ghost is a publishing platform Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the /session/verify component. An attacker can gain unauthorized access to user sessions by exploiting incomplete protections, potentially allowing takeover of site...

PT-2026-23004

Name of the Vulnerable Software and Affected Versions Ghost versions 0.7.2 through 6.19.0 Description Ghost, a Node.js content management system, is affected by a code execution issue. Maliciously crafted themes can execute arbitrary code on the server. It is recommended to avoid installing...

Ghost has a SQL injection in Content API

Impact A SQL injection vulnerability existed in Ghost's Content API that allowed unauthenticated attackers to read arbitrary data from the database. Vulnerable Versions This vulnerability is present in Ghost v3.24.0 to v6.19.0. Patches v6.19.1 contains a fix for this issue. Note: as this...

SQL Injection

Overview ghost is a publishing platform Affected versions of this package are vulnerable to SQL Injection in the the slug filter ordering logic in the Content API. An attacker can access and read arbitrary data from the database by injecting crafted SQL queries through the filter parameter in API...

Missing Critical Step in Authentication

Overview ghost is a publishing platform Affected versions of this package are vulnerable to Missing Critical Step in Authentication via the 2FA authentication. An attacker can gain unauthorized access to staff accounts by bypassing the email-based two-factor authentication step. Remediation Upgra...

Incorrect Authorization

Overview ghost is a publishing platform Affected versions of this package are vulnerable to Incorrect Authorization via improper handling of authentication for endpoints intended for Staff Session access. An attacker can gain unauthorized access to restricted endpoints by using Staff Tokens...

SQL Injection

Overview ghost is a publishing platform Affected versions of this package are vulnerable to SQL Injection via the /ghost/api/admin/members/events endpoint due to the improper validation of postId. An attacker can execute arbitrary SQL commands by sending crafted requests to this endpoint while...

Server-side Request Forgery (SSRF)

Overview ghost is a publishing platform Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the media inliner component. An attacker can access internal resources by sending crafted requests through the API while authenticated as a staff user. Remediation Upgra...

Server-side Request Forgery (SSRF)

Overview ghost is a publishing platform Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the oEmbed mechanism. An attacker can access internal resources or exfiltrate sensitive data by submitting crafted URLs to the affected endpoint. This is only exploitab...

Ghost Foundation Ghost 跨站脚本漏洞

Ghost Foundation Ghost is a Ghost open source personal blogging system written in JavaScript. A security vulnerability exists in Ghost Foundation Ghost 5.9.4, which stems from an insecure default vulnerability in the post creation feature of Ghost Foundation Ghost 5.9.4. The default installation ...

Hackers Exploit Critical Flaw in Ghost Platform with Cryptojacking Attack

Hackers targeted the publishing platform Ghost over the weekend, launching a cryptojacking attack against its servers that led to widespread outages. The attack stemmed from the exploit of critical vulnerabilities in SaltStack, used in Ghost’s server management infrastructure. Ghost is a free,...

PT-2020-19970 · Ghost · Ghost Cms

Name of the Vulnerable Software and Affected Versions: Ghost CMS versions prior to 3.10.0 Description: A server-side request forgery SSRF issue allows an attacker to scan local or external networks or interact with internal systems. Recommendations: For Ghost CMS versions prior to 3.10.0, update ...