Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/647697?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/647697?format=api", "purl": "pkg:npm/ghost@5.50.1", "type": "npm", "namespace": "", "name": "ghost", "version": "5.50.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.19.3", "latest_non_vulnerable_version": "6.19.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/31621?format=api", "vulnerability_id": "VCID-3u5f-347g-a7cz", "summary": "Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-43409", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00454", "scoring_system": "epss", "scoring_elements": "0.64355", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00454", "scoring_system": "epss", "scoring_elements": "0.64364", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00454", "scoring_system": "epss", "scoring_elements": "0.64368", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00454", "scoring_system": "epss", "scoring_elements": "0.64252", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-43409" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43409", "reference_id": "CVE-2024-43409", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43409" }, { "reference_url": "https://github.com/TryGhost/Ghost/commit/dac25612520b571f58679764ecc27109e641d1db", "reference_id": "dac25612520b571f58679764ecc27109e641d1db", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:32:40Z/" } ], "url": "https://github.com/TryGhost/Ghost/commit/dac25612520b571f58679764ecc27109e641d1db" }, { "reference_url": "https://github.com/advisories/GHSA-78x2-cwp9-5j42", "reference_id": "GHSA-78x2-cwp9-5j42", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-78x2-cwp9-5j42" }, { "reference_url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-78x2-cwp9-5j42", "reference_id": "GHSA-78x2-cwp9-5j42", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:32:40Z/" } ], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-78x2-cwp9-5j42" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33053?format=api", "purl": "pkg:npm/ghost@5.89.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cv37-vmbh-hbge" }, { "vulnerability": "VCID-f173-31n6-73fu" }, { "vulnerability": "VCID-uv9z-tvr6-7ugm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@5.89.5" } ], "aliases": [ "CVE-2024-43409", "GHSA-78x2-cwp9-5j42" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3u5f-347g-a7cz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/33369?format=api", "vulnerability_id": "VCID-744d-rhkz-87fp", "summary": "Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that \"The vendor does not view this as a valid vector.\"", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23724", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.38375", "scoring_system": "epss", "scoring_elements": "0.97344", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.38375", "scoring_system": "epss", "scoring_elements": "0.97345", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.38375", "scoring_system": "epss", "scoring_elements": "0.97335", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.38375", "scoring_system": "epss", "scoring_elements": "0.97342", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23724" }, { "reference_url": "https://rhinosecuritylabs.com/blog", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://rhinosecuritylabs.com/blog" }, { "reference_url": "https://github.com/TryGhost/Ghost/pull/19646", "reference_id": "19646", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-12T17:17:21Z/" } ], "url": "https://github.com/TryGhost/Ghost/pull/19646" }, { "reference_url": "https://rhinosecuritylabs.com/blog/", "reference_id": "blog", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-12T17:17:21Z/" } ], "url": "https://rhinosecuritylabs.com/blog/" }, { "reference_url": "https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-23724", "reference_id": "CVE-2024-23724", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-12T17:17:21Z/" } ], "url": "https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-23724" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23724", "reference_id": "CVE-2024-23724", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23724" }, { "reference_url": "https://github.com/advisories/GHSA-99vc-xw8j-phjm", "reference_id": "GHSA-99vc-xw8j-phjm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-99vc-xw8j-phjm" } ], "fixed_packages": [], "aliases": [ "CVE-2024-23724", "GHSA-99vc-xw8j-phjm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-744d-rhkz-87fp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/150484?format=api", "vulnerability_id": "VCID-c6w8-e895-yffy", "summary": "Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder. Version 5.59.1 contains a fix for this issue. All users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40028", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.77606", "scoring_system": "epss", "scoring_elements": "0.99012", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.77606", "scoring_system": "epss", "scoring_elements": "0.99017", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.77606", "scoring_system": "epss", "scoring_elements": "0.99016", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40028" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40028", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40028" }, { "reference_url": "https://github.com/TryGhost/Ghost/commit/690fbf3f7302ff3f77159c0795928bdd20f41205", "reference_id": "690fbf3f7302ff3f77159c0795928bdd20f41205", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:27Z/" } ], "url": "https://github.com/TryGhost/Ghost/commit/690fbf3f7302ff3f77159c0795928bdd20f41205" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52409.py", "reference_id": "CVE-2023-40028", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52409.py" }, { "reference_url": "https://github.com/advisories/GHSA-9c9v-w225-v5rg", "reference_id": "GHSA-9c9v-w225-v5rg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9c9v-w225-v5rg" }, { "reference_url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg", "reference_id": "GHSA-9c9v-w225-v5rg", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:27Z/" } ], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/380666?format=api", "purl": "pkg:npm/ghost@5.59.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u5f-347g-a7cz" }, { "vulnerability": "VCID-744d-rhkz-87fp" }, { "vulnerability": "VCID-cv37-vmbh-hbge" }, { "vulnerability": "VCID-f173-31n6-73fu" }, { "vulnerability": "VCID-uv9z-tvr6-7ugm" }, { "vulnerability": "VCID-v17s-qgdp-cyan" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@5.59.1" } ], "aliases": [ "CVE-2023-40028", "GHSA-9c9v-w225-v5rg" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c6w8-e895-yffy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70890?format=api", "vulnerability_id": "VCID-cv37-vmbh-hbge", "summary": "Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26980", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.56657", "scoring_system": "epss", "scoring_elements": "0.98173", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.56657", "scoring_system": "epss", "scoring_elements": "0.98174", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.56657", "scoring_system": "epss", "scoring_elements": "0.98172", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.56657", "scoring_system": "epss", "scoring_elements": "0.98166", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26980" }, { "reference_url": "https://blog.xlab.qianxin.com/ghost-cms-page-poisoning-cve-2026-26980", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://blog.xlab.qianxin.com/ghost-cms-page-poisoning-cve-2026-26980" }, { "reference_url": "https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91", "reference_id": "30868d632b2252b638bc8a4c8ebf73964592ed91", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:30:19Z/" } ], "url": "https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52555.txt", "reference_id": "CVE-2026-26980", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52555.txt" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26980", "reference_id": "CVE-2026-26980", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26980" }, { "reference_url": "https://github.com/advisories/GHSA-w52v-v783-gw97", "reference_id": "GHSA-w52v-v783-gw97", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w52v-v783-gw97" }, { "reference_url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97", "reference_id": "GHSA-w52v-v783-gw97", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:30:19Z/" } ], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97" }, { "reference_url": "https://github.com/TryGhost/Ghost/releases/tag/v6.19.1", "reference_id": "v6.19.1", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:30:19Z/" } ], "url": "https://github.com/TryGhost/Ghost/releases/tag/v6.19.1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39368?format=api", "purl": "pkg:npm/ghost@6.19.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4chn-jutc-fue2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@6.19.1" } ], "aliases": [ "CVE-2026-26980", "GHSA-w52v-v783-gw97" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cv37-vmbh-hbge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/82580?format=api", "vulnerability_id": "VCID-f173-31n6-73fu", "summary": "Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24778", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05759", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05778", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05752", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05769", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24778" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24778", "reference_id": "CVE-2026-24778", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24778" }, { "reference_url": "https://github.com/TryGhost/Ghost/commit/da858e640e88e69c1773a7b7ecdc2008fa143849", "reference_id": "da858e640e88e69c1773a7b7ecdc2008fa143849", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-28T21:11:07Z/" } ], "url": "https://github.com/TryGhost/Ghost/commit/da858e640e88e69c1773a7b7ecdc2008fa143849" }, { "reference_url": "https://github.com/advisories/GHSA-gv6q-2m97-882h", "reference_id": "GHSA-gv6q-2m97-882h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gv6q-2m97-882h" }, { "reference_url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-gv6q-2m97-882h", "reference_id": "GHSA-gv6q-2m97-882h", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-28T21:11:07Z/" } ], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-gv6q-2m97-882h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38305?format=api", "purl": "pkg:npm/ghost@5.121.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3mb5-8b85-d7bt" }, { "vulnerability": "VCID-4chn-jutc-fue2" }, { "vulnerability": "VCID-cv37-vmbh-hbge" }, { "vulnerability": "VCID-dqj6-6jfr-37ca" }, { "vulnerability": "VCID-k4ww-t1ck-jkcr" }, { "vulnerability": "VCID-uv9z-tvr6-7ugm" }, { "vulnerability": "VCID-z5jg-cfyj-sbg5" }, { "vulnerability": "VCID-z8d3-xben-ebay" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@5.121.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/38308?format=api", "purl": "pkg:npm/ghost@6.15.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4chn-jutc-fue2" }, { "vulnerability": "VCID-cv37-vmbh-hbge" }, { "vulnerability": "VCID-uv9z-tvr6-7ugm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@6.15.0" } ], "aliases": [ "CVE-2026-24778", "GHSA-gv6q-2m97-882h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f173-31n6-73fu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74005?format=api", "vulnerability_id": "VCID-uv9z-tvr6-7ugm", "summary": "Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29053", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09327", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09318", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09328", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09276", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29053" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29053", "reference_id": "CVE-2026-29053", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29053" }, { "reference_url": "https://github.com/advisories/GHSA-cgc2-rcrh-qr5x", "reference_id": "GHSA-cgc2-rcrh-qr5x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cgc2-rcrh-qr5x" }, { "reference_url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-cgc2-rcrh-qr5x", "reference_id": "GHSA-cgc2-rcrh-qr5x", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-05T15:29:20Z/" } ], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-cgc2-rcrh-qr5x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39368?format=api", "purl": "pkg:npm/ghost@6.19.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4chn-jutc-fue2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@6.19.1" } ], "aliases": [ "CVE-2026-29053", "GHSA-cgc2-rcrh-qr5x" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uv9z-tvr6-7ugm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/33647?format=api", "vulnerability_id": "VCID-v17s-qgdp-cyan", "summary": "Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23725", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29831", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29833", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29848", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29634", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23725" }, { "reference_url": "https://github.com/yunaycompany/Ghost/commit/64d67717f7c76c77b3908e15627f473e9ef34002", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yunaycompany/Ghost/commit/64d67717f7c76c77b3908e15627f473e9ef34002" }, { "reference_url": "https://github.com/TryGhost/Ghost/pull/17190", "reference_id": "17190", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:35:42Z/" } ], "url": "https://github.com/TryGhost/Ghost/pull/17190" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23725", "reference_id": "CVE-2024-23725", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23725" }, { "reference_url": "https://github.com/advisories/GHSA-fh38-9fgr-454w", "reference_id": "GHSA-fh38-9fgr-454w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fh38-9fgr-454w" }, { "reference_url": "https://github.com/TryGhost/Ghost/releases/tag/v5.76.0", "reference_id": "v5.76.0", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:35:42Z/" } ], "url": "https://github.com/TryGhost/Ghost/releases/tag/v5.76.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28506?format=api", "purl": "pkg:npm/ghost@5.76.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u5f-347g-a7cz" }, { "vulnerability": "VCID-744d-rhkz-87fp" }, { "vulnerability": "VCID-cv37-vmbh-hbge" }, { "vulnerability": "VCID-f173-31n6-73fu" }, { "vulnerability": "VCID-uv9z-tvr6-7ugm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@5.76.0" } ], "aliases": [ "CVE-2024-23725", "GHSA-fh38-9fgr-454w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v17s-qgdp-cyan" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@5.50.1" }