Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/ghost@5.130.4
purl pkg:npm/ghost@5.130.4
Next non-vulnerable version 6.19.3
Latest non-vulnerable version 6.19.3
Risk 10.0
Vulnerabilities affecting this package (7)
Vulnerability Summary Fixed by
VCID-4chn-jutc-fue2
Aliases:
CVE-2026-29784
GHSA-9m84-wc28-w895
Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3.
6.19.3
Affected by 0 other vulnerabilities.
VCID-cv37-vmbh-hbge
Aliases:
CVE-2026-26980
GHSA-w52v-v783-gw97
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
6.19.1
Affected by 1 other vulnerability.
VCID-dqj6-6jfr-37ca
Aliases:
CVE-2026-22597
GHSA-vmc4-9828-r48r
Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0.
5.130.6
Affected by 3 other vulnerabilities.
6.0.0-alpha.1
Affected by 3 other vulnerabilities.
6.11.0
Affected by 4 other vulnerabilities.
VCID-k4ww-t1ck-jkcr
Aliases:
CVE-2026-22596
GHSA-gjrp-xgmh-x9qq
Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0.
5.130.6
Affected by 3 other vulnerabilities.
6.0.0-alpha.1
Affected by 3 other vulnerabilities.
6.11.0
Affected by 4 other vulnerabilities.
VCID-uv9z-tvr6-7ugm
Aliases:
CVE-2026-29053
GHSA-cgc2-rcrh-qr5x
Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.
6.19.1
Affected by 1 other vulnerability.
VCID-z5jg-cfyj-sbg5
Aliases:
CVE-2026-22594
GHSA-5fp7-g646-ccf4
Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0.
5.130.6
Affected by 3 other vulnerabilities.
6.0.0-alpha.1
Affected by 3 other vulnerabilities.
6.11.0
Affected by 4 other vulnerabilities.
VCID-z8d3-xben-ebay
Aliases:
CVE-2026-22595
GHSA-9xg7-mwmp-xmjx
Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. External systems that have been authenticated via Staff Tokens for Admin/Owner-role users would have had access to these endpoints. This issue has been patched in versions 5.130.6 and 6.11.0.
5.130.6
Affected by 3 other vulnerabilities.
6.0.0-alpha.1
Affected by 3 other vulnerabilities.
6.11.0
Affected by 4 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-3mb5-8b85-d7bt Server-Side Request Forgery (SSRF) vulnerability in Ghost allows an attacker to access internal resources.This issue affects Ghost: from 6.0.0 through 6.0.8, from 5.99.0 through 5.130.3. CVE-2025-9862
GHSA-f7qg-xj45-w956

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-15T01:56:27.540508+00:00 GHSA Importer Fixing VCID-3mb5-8b85-d7bt https://github.com/advisories/GHSA-f7qg-xj45-w956 38.6.0
2026-06-12T21:18:11.442405+00:00 GitLab Importer Affected by VCID-4chn-jutc-fue2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2026-29784.yml 38.6.0
2026-06-12T21:16:04.149954+00:00 GitLab Importer Affected by VCID-uv9z-tvr6-7ugm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2026-29053.yml 38.6.0
2026-06-12T21:00:38.908473+00:00 GitLab Importer Affected by VCID-cv37-vmbh-hbge https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2026-26980.yml 38.6.0
2026-06-12T20:45:20.523152+00:00 GitLab Importer Affected by VCID-k4ww-t1ck-jkcr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2026-22596.yml 38.6.0
2026-06-12T20:45:06.354211+00:00 GitLab Importer Affected by VCID-dqj6-6jfr-37ca https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2026-22597.yml 38.6.0
2026-06-12T20:44:49.164280+00:00 GitLab Importer Affected by VCID-z5jg-cfyj-sbg5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2026-22594.yml 38.6.0
2026-06-12T20:44:24.615707+00:00 GitLab Importer Affected by VCID-z8d3-xben-ebay https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2026-22595.yml 38.6.0
2026-06-12T15:48:38.358676+00:00 GitLab Importer Fixing VCID-3mb5-8b85-d7bt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2025-9862.yml 38.6.0
2026-06-12T07:53:03.108835+00:00 GithubOSV Importer Fixing VCID-3mb5-8b85-d7bt https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-f7qg-xj45-w956/GHSA-f7qg-xj45-w956.json 38.6.0