Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/ghost@5.46.1
purl pkg:npm/ghost@5.46.1
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-hyzv-xf2q-5qff Ghost vulnerable to information disclosure of private API fields ### Impact Due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack. Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. Immediate action should be taken to secure your site - see patches and workarounds below. ### Patches v5.46.1 contains a fix for this issue. ### Workarounds Add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`. ### For more information If you have any questions or comments about this advisory: * Email us at [security@ghost.org](mailto:security@ghost.org) CVE-2023-31133
GHSA-r97q-ghch-82j9

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-31T11:08:46.024738+00:00 GithubOSV Importer Fixing VCID-hyzv-xf2q-5qff https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-r97q-ghch-82j9/GHSA-r97q-ghch-82j9.json 38.6.0
2026-05-30T21:00:34.800447+00:00 GitLab Importer Fixing VCID-hyzv-xf2q-5qff https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ghost/CVE-2023-31133.yml 38.6.0