Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/905511?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/905511?format=api", "purl": "pkg:npm/ghost@6.2.0", "type": "npm", "namespace": "", "name": "ghost", "version": "6.2.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.19.3", "latest_non_vulnerable_version": "6.19.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/73948?format=api", "vulnerability_id": "VCID-4chn-jutc-fue2", "summary": "Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29784", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07583", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07597", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.0756", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07592", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29784" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29784", "reference_id": "CVE-2026-29784", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29784" }, { "reference_url": "https://github.com/TryGhost/Ghost/commit/ec065a774fa125953d2aa644a59cd8990329e0a0", "reference_id": "ec065a774fa125953d2aa644a59cd8990329e0a0", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-09T17:39:47Z/" } ], "url": "https://github.com/TryGhost/Ghost/commit/ec065a774fa125953d2aa644a59cd8990329e0a0" }, { "reference_url": "https://github.com/advisories/GHSA-9m84-wc28-w895", "reference_id": "GHSA-9m84-wc28-w895", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9m84-wc28-w895" }, { "reference_url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9m84-wc28-w895", "reference_id": "GHSA-9m84-wc28-w895", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-09T17:39:47Z/" } ], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9m84-wc28-w895" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40248?format=api", "purl": "pkg:npm/ghost@6.19.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@6.19.3" } ], "aliases": [ "CVE-2026-29784", "GHSA-9m84-wc28-w895" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4chn-jutc-fue2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70890?format=api", "vulnerability_id": "VCID-cv37-vmbh-hbge", "summary": "Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26980", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.56657", "scoring_system": "epss", "scoring_elements": "0.98173", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.56657", "scoring_system": "epss", "scoring_elements": "0.98174", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.56657", "scoring_system": "epss", "scoring_elements": "0.98172", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.56657", "scoring_system": "epss", "scoring_elements": "0.98166", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26980" }, { "reference_url": "https://blog.xlab.qianxin.com/ghost-cms-page-poisoning-cve-2026-26980", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://blog.xlab.qianxin.com/ghost-cms-page-poisoning-cve-2026-26980" }, { "reference_url": "https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91", "reference_id": "30868d632b2252b638bc8a4c8ebf73964592ed91", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:30:19Z/" } ], "url": "https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52555.txt", "reference_id": "CVE-2026-26980", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52555.txt" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26980", "reference_id": "CVE-2026-26980", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26980" }, { "reference_url": "https://github.com/advisories/GHSA-w52v-v783-gw97", "reference_id": "GHSA-w52v-v783-gw97", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w52v-v783-gw97" }, { "reference_url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97", "reference_id": "GHSA-w52v-v783-gw97", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:30:19Z/" } ], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97" }, { "reference_url": "https://github.com/TryGhost/Ghost/releases/tag/v6.19.1", "reference_id": "v6.19.1", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:30:19Z/" } ], "url": "https://github.com/TryGhost/Ghost/releases/tag/v6.19.1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39368?format=api", "purl": "pkg:npm/ghost@6.19.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4chn-jutc-fue2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@6.19.1" } ], "aliases": [ "CVE-2026-26980", "GHSA-w52v-v783-gw97" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cv37-vmbh-hbge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/83710?format=api", "vulnerability_id": "VCID-dqj6-6jfr-37ca", "summary": "Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22597", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10202", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10216", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10211", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10164", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22597" }, { "reference_url": "https://github.com/TryGhost/Ghost/commit/15d49131ff4aac3aca8642501c793f01f2bfcbb9", "reference_id": "15d49131ff4aac3aca8642501c793f01f2bfcbb9", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-12T15:33:44Z/" } ], "url": "https://github.com/TryGhost/Ghost/commit/15d49131ff4aac3aca8642501c793f01f2bfcbb9" }, { "reference_url": "https://github.com/TryGhost/Ghost/commit/93add549ccf079d8e28bdb724fbb71a76942ff51", "reference_id": "93add549ccf079d8e28bdb724fbb71a76942ff51", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-12T15:33:44Z/" } ], "url": "https://github.com/TryGhost/Ghost/commit/93add549ccf079d8e28bdb724fbb71a76942ff51" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22597", "reference_id": "CVE-2026-22597", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22597" }, { "reference_url": "https://github.com/advisories/GHSA-vmc4-9828-r48r", "reference_id": "GHSA-vmc4-9828-r48r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vmc4-9828-r48r" }, { "reference_url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-vmc4-9828-r48r", "reference_id": "GHSA-vmc4-9828-r48r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-12T15:33:44Z/" } ], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-vmc4-9828-r48r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36732?format=api", "purl": "pkg:npm/ghost@6.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4chn-jutc-fue2" }, { "vulnerability": "VCID-cv37-vmbh-hbge" }, { "vulnerability": "VCID-f173-31n6-73fu" }, { "vulnerability": "VCID-uv9z-tvr6-7ugm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@6.11.0" } ], "aliases": [ "CVE-2026-22597", "GHSA-vmc4-9828-r48r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dqj6-6jfr-37ca" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/82580?format=api", "vulnerability_id": "VCID-f173-31n6-73fu", "summary": "Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24778", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05759", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05778", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05752", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05769", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24778" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24778", "reference_id": "CVE-2026-24778", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24778" }, { "reference_url": "https://github.com/TryGhost/Ghost/commit/da858e640e88e69c1773a7b7ecdc2008fa143849", "reference_id": "da858e640e88e69c1773a7b7ecdc2008fa143849", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-28T21:11:07Z/" } ], "url": "https://github.com/TryGhost/Ghost/commit/da858e640e88e69c1773a7b7ecdc2008fa143849" }, { "reference_url": "https://github.com/advisories/GHSA-gv6q-2m97-882h", "reference_id": "GHSA-gv6q-2m97-882h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gv6q-2m97-882h" }, { "reference_url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-gv6q-2m97-882h", "reference_id": "GHSA-gv6q-2m97-882h", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-28T21:11:07Z/" } ], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-gv6q-2m97-882h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38308?format=api", "purl": "pkg:npm/ghost@6.15.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4chn-jutc-fue2" }, { "vulnerability": "VCID-cv37-vmbh-hbge" }, { "vulnerability": "VCID-uv9z-tvr6-7ugm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@6.15.0" } ], "aliases": [ "CVE-2026-24778", "GHSA-gv6q-2m97-882h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f173-31n6-73fu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/83698?format=api", "vulnerability_id": "VCID-k4ww-t1ck-jkcr", "summary": "Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22596", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16437", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16465", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16453", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1631", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22596" }, { "reference_url": "https://github.com/TryGhost/Ghost/commit/cda236e455a7a30e828b6cba3c430e5796ded955", "reference_id": "cda236e455a7a30e828b6cba3c430e5796ded955", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:37:34Z/" } ], "url": "https://github.com/TryGhost/Ghost/commit/cda236e455a7a30e828b6cba3c430e5796ded955" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22596", "reference_id": "CVE-2026-22596", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22596" }, { "reference_url": "https://github.com/TryGhost/Ghost/commit/f2165f968bcdaae0e35590b38fa280ab03239391", "reference_id": "f2165f968bcdaae0e35590b38fa280ab03239391", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:37:34Z/" } ], "url": "https://github.com/TryGhost/Ghost/commit/f2165f968bcdaae0e35590b38fa280ab03239391" }, { "reference_url": "https://github.com/advisories/GHSA-gjrp-xgmh-x9qq", "reference_id": "GHSA-gjrp-xgmh-x9qq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gjrp-xgmh-x9qq" }, { "reference_url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-gjrp-xgmh-x9qq", "reference_id": "GHSA-gjrp-xgmh-x9qq", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:37:34Z/" } ], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-gjrp-xgmh-x9qq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36732?format=api", "purl": "pkg:npm/ghost@6.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4chn-jutc-fue2" }, { "vulnerability": "VCID-cv37-vmbh-hbge" }, { "vulnerability": "VCID-f173-31n6-73fu" }, { "vulnerability": "VCID-uv9z-tvr6-7ugm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@6.11.0" } ], "aliases": [ "CVE-2026-22596", "GHSA-gjrp-xgmh-x9qq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k4ww-t1ck-jkcr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74005?format=api", "vulnerability_id": "VCID-uv9z-tvr6-7ugm", "summary": "Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29053", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09327", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09318", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09328", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09276", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29053" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29053", "reference_id": "CVE-2026-29053", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29053" }, { "reference_url": "https://github.com/advisories/GHSA-cgc2-rcrh-qr5x", "reference_id": "GHSA-cgc2-rcrh-qr5x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cgc2-rcrh-qr5x" }, { "reference_url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-cgc2-rcrh-qr5x", "reference_id": "GHSA-cgc2-rcrh-qr5x", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-05T15:29:20Z/" } ], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-cgc2-rcrh-qr5x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39368?format=api", "purl": "pkg:npm/ghost@6.19.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4chn-jutc-fue2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@6.19.1" } ], "aliases": [ "CVE-2026-29053", "GHSA-cgc2-rcrh-qr5x" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uv9z-tvr6-7ugm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/83854?format=api", "vulnerability_id": "VCID-z5jg-cfyj-sbg5", "summary": "Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22594", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.0082", "published_at": "2026-06-14T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00814", "published_at": "2026-06-12T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00818", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22594" }, { "reference_url": "https://github.com/TryGhost/Ghost/commit/b59f707f670e6f175b669977724ccf16c718430b", "reference_id": "b59f707f670e6f175b669977724ccf16c718430b", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:53:47Z/" } ], "url": "https://github.com/TryGhost/Ghost/commit/b59f707f670e6f175b669977724ccf16c718430b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22594", "reference_id": "CVE-2026-22594", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22594" }, { "reference_url": "https://github.com/TryGhost/Ghost/commit/fc7bc2fb0888513498154ec5cb4b21eccb88de07", "reference_id": "fc7bc2fb0888513498154ec5cb4b21eccb88de07", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:53:47Z/" } ], "url": "https://github.com/TryGhost/Ghost/commit/fc7bc2fb0888513498154ec5cb4b21eccb88de07" }, { "reference_url": "https://github.com/advisories/GHSA-5fp7-g646-ccf4", "reference_id": "GHSA-5fp7-g646-ccf4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5fp7-g646-ccf4" }, { "reference_url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-5fp7-g646-ccf4", "reference_id": "GHSA-5fp7-g646-ccf4", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:53:47Z/" } ], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-5fp7-g646-ccf4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36732?format=api", "purl": "pkg:npm/ghost@6.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4chn-jutc-fue2" }, { "vulnerability": "VCID-cv37-vmbh-hbge" }, { "vulnerability": "VCID-f173-31n6-73fu" }, { "vulnerability": "VCID-uv9z-tvr6-7ugm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@6.11.0" } ], "aliases": [ "CVE-2026-22594", "GHSA-5fp7-g646-ccf4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z5jg-cfyj-sbg5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/83537?format=api", "vulnerability_id": "VCID-z8d3-xben-ebay", "summary": "Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. External systems that have been authenticated via Staff Tokens for Admin/Owner-role users would have had access to these endpoints. This issue has been patched in versions 5.130.6 and 6.11.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22595", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05637", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05645", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05652", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05626", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22595" }, { "reference_url": "https://github.com/TryGhost/Ghost/commit/9513d2a35c21067127ce8192443d8919ddcefcc8", "reference_id": "9513d2a35c21067127ce8192443d8919ddcefcc8", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:51:33Z/" } ], "url": "https://github.com/TryGhost/Ghost/commit/9513d2a35c21067127ce8192443d8919ddcefcc8" }, { "reference_url": "https://github.com/TryGhost/Ghost/commit/c3017f81a5387b253a7b8c1ba1959d430ee536a3", "reference_id": "c3017f81a5387b253a7b8c1ba1959d430ee536a3", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:51:33Z/" } ], "url": "https://github.com/TryGhost/Ghost/commit/c3017f81a5387b253a7b8c1ba1959d430ee536a3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22595", "reference_id": "CVE-2026-22595", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22595" }, { "reference_url": "https://github.com/advisories/GHSA-9xg7-mwmp-xmjx", "reference_id": "GHSA-9xg7-mwmp-xmjx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9xg7-mwmp-xmjx" }, { "reference_url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9xg7-mwmp-xmjx", "reference_id": "GHSA-9xg7-mwmp-xmjx", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:51:33Z/" } ], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9xg7-mwmp-xmjx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36732?format=api", "purl": "pkg:npm/ghost@6.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4chn-jutc-fue2" }, { "vulnerability": "VCID-cv37-vmbh-hbge" }, { "vulnerability": "VCID-f173-31n6-73fu" }, { "vulnerability": "VCID-uv9z-tvr6-7ugm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@6.11.0" } ], "aliases": [ "CVE-2026-22595", "GHSA-9xg7-mwmp-xmjx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z8d3-xben-ebay" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/ghost@6.2.0" }