ghost is vulnerable to remote code execution. The vulnerability exists due to a lack of sanitization of the upload
and update
function allowing an attacker inject maliciously crafted script via an SVG file. NOTE: Vendor states that as outlined in Ghost’s security documentation, upload of SVGs is only possible by trusted authenticated users. The uploading of SVG files to Ghost does not represent a remote code execution vulnerability. SVGs are not executable on the server, and may only execute javascript in a client’s browser - this is expected and intentional functionality.