Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/ghost@5.121.0
purl pkg:npm/ghost@5.121.0
Next non-vulnerable version 6.19.3
Latest non-vulnerable version 6.19.3
Risk 10.0
Vulnerabilities affecting this package (8)
Vulnerability Summary Fixed by
VCID-3mb5-8b85-d7bt
Aliases:
CVE-2025-9862
GHSA-f7qg-xj45-w956
Server-Side Request Forgery (SSRF) vulnerability in Ghost allows an attacker to access internal resources.This issue affects Ghost: from 6.0.0 through 6.0.8, from 5.99.0 through 5.130.3.
5.130.4
Affected by 7 other vulnerabilities.
6.0.9
Affected by 8 other vulnerabilities.
VCID-4chn-jutc-fue2
Aliases:
CVE-2026-29784
GHSA-9m84-wc28-w895
Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3.
6.19.3
Affected by 0 other vulnerabilities.
VCID-cv37-vmbh-hbge
Aliases:
CVE-2026-26980
GHSA-w52v-v783-gw97
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
6.19.1
Affected by 1 other vulnerability.
VCID-dqj6-6jfr-37ca
Aliases:
CVE-2026-22597
GHSA-vmc4-9828-r48r
Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0.
5.130.6
Affected by 3 other vulnerabilities.
6.0.0-alpha.1
Affected by 3 other vulnerabilities.
6.11.0
Affected by 4 other vulnerabilities.
VCID-k4ww-t1ck-jkcr
Aliases:
CVE-2026-22596
GHSA-gjrp-xgmh-x9qq
Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0.
5.130.6
Affected by 3 other vulnerabilities.
6.0.0-alpha.1
Affected by 3 other vulnerabilities.
6.11.0
Affected by 4 other vulnerabilities.
VCID-uv9z-tvr6-7ugm
Aliases:
CVE-2026-29053
GHSA-cgc2-rcrh-qr5x
Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.
6.19.1
Affected by 1 other vulnerability.
VCID-z5jg-cfyj-sbg5
Aliases:
CVE-2026-22594
GHSA-5fp7-g646-ccf4
Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0.
5.130.6
Affected by 3 other vulnerabilities.
6.0.0-alpha.1
Affected by 3 other vulnerabilities.
6.11.0
Affected by 4 other vulnerabilities.
VCID-z8d3-xben-ebay
Aliases:
CVE-2026-22595
GHSA-9xg7-mwmp-xmjx
Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. External systems that have been authenticated via Staff Tokens for Admin/Owner-role users would have had access to these endpoints. This issue has been patched in versions 5.130.6 and 6.11.0.
5.130.6
Affected by 3 other vulnerabilities.
6.0.0-alpha.1
Affected by 3 other vulnerabilities.
6.11.0
Affected by 4 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-f173-31n6-73fu Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version. CVE-2026-24778
GHSA-gv6q-2m97-882h

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-12T21:18:11.370729+00:00 GitLab Importer Affected by VCID-4chn-jutc-fue2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2026-29784.yml 38.6.0
2026-06-12T21:16:04.077826+00:00 GitLab Importer Affected by VCID-uv9z-tvr6-7ugm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2026-29053.yml 38.6.0
2026-06-12T21:00:38.834538+00:00 GitLab Importer Affected by VCID-cv37-vmbh-hbge https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2026-26980.yml 38.6.0
2026-06-12T20:45:20.440383+00:00 GitLab Importer Affected by VCID-k4ww-t1ck-jkcr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2026-22596.yml 38.6.0
2026-06-12T20:45:06.278887+00:00 GitLab Importer Affected by VCID-dqj6-6jfr-37ca https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2026-22597.yml 38.6.0
2026-06-12T20:44:49.090220+00:00 GitLab Importer Affected by VCID-z5jg-cfyj-sbg5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2026-22594.yml 38.6.0
2026-06-12T20:44:24.542323+00:00 GitLab Importer Affected by VCID-z8d3-xben-ebay https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2026-22595.yml 38.6.0
2026-06-12T20:17:58.406523+00:00 GitLab Importer Affected by VCID-3mb5-8b85-d7bt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2025-9862.yml 38.6.0
2026-06-12T15:50:13.599908+00:00 GitLab Importer Fixing VCID-f173-31n6-73fu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2026-24778.yml 38.6.0
2026-06-12T07:46:58.718979+00:00 GithubOSV Importer Fixing VCID-f173-31n6-73fu https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gv6q-2m97-882h/GHSA-gv6q-2m97-882h.json 38.6.0
2026-06-11T20:37:41.714117+00:00 GHSA Importer Fixing VCID-f173-31n6-73fu https://github.com/advisories/GHSA-gv6q-2m97-882h 38.6.0