Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/ghost@5.22.7
Typenpm
Namespace
Nameghost
Version5.22.7
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.19.3
Latest_non_vulnerable_version6.19.3
Affected_by_vulnerabilities
0
url VCID-322u-tcye-huf9
vulnerability_id VCID-322u-tcye-huf9
summary Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-32235
reference_id
reference_type
scores
0
value 0.94094
scoring_system epss
scoring_elements 0.99911
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-32235
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-32235
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-32235
2
reference_url https://github.com/TryGhost/Ghost/commit/378dd913aa8d0fd0da29b0ffced8884579598b0f
reference_id 378dd913aa8d0fd0da29b0ffced8884579598b0f
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-29T16:27:01Z/
url https://github.com/TryGhost/Ghost/commit/378dd913aa8d0fd0da29b0ffced8884579598b0f
3
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52408.py
reference_id CVE-2023-32235
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52408.py
4
reference_url https://github.com/advisories/GHSA-wf7x-fh6w-34r6
reference_id GHSA-wf7x-fh6w-34r6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wf7x-fh6w-34r6
5
reference_url https://github.com/TryGhost/Ghost/compare/v5.42.0...v5.42.1
reference_id v5.42.0...v5.42.1
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-29T16:27:01Z/
url https://github.com/TryGhost/Ghost/compare/v5.42.0...v5.42.1
fixed_packages
0
url pkg:npm/ghost@5.42.1
purl pkg:npm/ghost@5.42.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3u5f-347g-a7cz
1
vulnerability VCID-744d-rhkz-87fp
2
vulnerability VCID-c6w8-e895-yffy
3
vulnerability VCID-cv37-vmbh-hbge
4
vulnerability VCID-kv7x-8p66-tqf3
5
vulnerability VCID-uv9z-tvr6-7ugm
6
vulnerability VCID-v17s-qgdp-cyan
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ghost@5.42.1
aliases CVE-2023-32235, GHSA-wf7x-fh6w-34r6
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-322u-tcye-huf9
1
url VCID-3u5f-347g-a7cz
vulnerability_id VCID-3u5f-347g-a7cz
summary Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-43409
reference_id
reference_type
scores
0
value 0.00454
scoring_system epss
scoring_elements 0.64355
published_at 2026-06-12T12:55:00Z
1
value 0.00454
scoring_system epss
scoring_elements 0.64364
published_at 2026-06-14T12:55:00Z
2
value 0.00454
scoring_system epss
scoring_elements 0.64368
published_at 2026-06-13T12:55:00Z
3
value 0.00454
scoring_system epss
scoring_elements 0.64252
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-43409
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-43409
reference_id CVE-2024-43409
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-43409
2
reference_url https://github.com/TryGhost/Ghost/commit/dac25612520b571f58679764ecc27109e641d1db
reference_id dac25612520b571f58679764ecc27109e641d1db
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:32:40Z/
url https://github.com/TryGhost/Ghost/commit/dac25612520b571f58679764ecc27109e641d1db
3
reference_url https://github.com/advisories/GHSA-78x2-cwp9-5j42
reference_id GHSA-78x2-cwp9-5j42
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-78x2-cwp9-5j42
4
reference_url https://github.com/TryGhost/Ghost/security/advisories/GHSA-78x2-cwp9-5j42
reference_id GHSA-78x2-cwp9-5j42
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:32:40Z/
url https://github.com/TryGhost/Ghost/security/advisories/GHSA-78x2-cwp9-5j42
fixed_packages
0
url pkg:npm/ghost@5.89.5
purl pkg:npm/ghost@5.89.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cv37-vmbh-hbge
1
vulnerability VCID-f173-31n6-73fu
2
vulnerability VCID-uv9z-tvr6-7ugm
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ghost@5.89.5
aliases CVE-2024-43409, GHSA-78x2-cwp9-5j42
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3u5f-347g-a7cz
2
url VCID-744d-rhkz-87fp
vulnerability_id VCID-744d-rhkz-87fp
summary Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view this as a valid vector."
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-23724
reference_id
reference_type
scores
0
value 0.38375
scoring_system epss
scoring_elements 0.97344
published_at 2026-06-13T12:55:00Z
1
value 0.38375
scoring_system epss
scoring_elements 0.97345
published_at 2026-06-14T12:55:00Z
2
value 0.38375
scoring_system epss
scoring_elements 0.97335
published_at 2026-06-11T12:55:00Z
3
value 0.38375
scoring_system epss
scoring_elements 0.97342
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-23724
1
reference_url https://rhinosecuritylabs.com/blog
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://rhinosecuritylabs.com/blog
2
reference_url https://github.com/TryGhost/Ghost/pull/19646
reference_id 19646
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-12T17:17:21Z/
url https://github.com/TryGhost/Ghost/pull/19646
3
reference_url https://rhinosecuritylabs.com/blog/
reference_id blog
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-12T17:17:21Z/
url https://rhinosecuritylabs.com/blog/
4
reference_url https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-23724
reference_id CVE-2024-23724
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-12T17:17:21Z/
url https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-23724
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-23724
reference_id CVE-2024-23724
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-23724
6
reference_url https://github.com/advisories/GHSA-99vc-xw8j-phjm
reference_id GHSA-99vc-xw8j-phjm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-99vc-xw8j-phjm
fixed_packages
aliases CVE-2024-23724, GHSA-99vc-xw8j-phjm
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-744d-rhkz-87fp
3
url VCID-c6w8-e895-yffy
vulnerability_id VCID-c6w8-e895-yffy
summary Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder. Version 5.59.1 contains a fix for this issue. All users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-40028
reference_id
reference_type
scores
0
value 0.77606
scoring_system epss
scoring_elements 0.99012
published_at 2026-06-11T12:55:00Z
1
value 0.77606
scoring_system epss
scoring_elements 0.99017
published_at 2026-06-14T12:55:00Z
2
value 0.77606
scoring_system epss
scoring_elements 0.99016
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-40028
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40028
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-40028
2
reference_url https://github.com/TryGhost/Ghost/commit/690fbf3f7302ff3f77159c0795928bdd20f41205
reference_id 690fbf3f7302ff3f77159c0795928bdd20f41205
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:27Z/
url https://github.com/TryGhost/Ghost/commit/690fbf3f7302ff3f77159c0795928bdd20f41205
3
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52409.py
reference_id CVE-2023-40028
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52409.py
4
reference_url https://github.com/advisories/GHSA-9c9v-w225-v5rg
reference_id GHSA-9c9v-w225-v5rg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9c9v-w225-v5rg
5
reference_url https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg
reference_id GHSA-9c9v-w225-v5rg
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:27Z/
url https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg
fixed_packages
0
url pkg:npm/ghost@5.59.1
purl pkg:npm/ghost@5.59.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3u5f-347g-a7cz
1
vulnerability VCID-744d-rhkz-87fp
2
vulnerability VCID-cv37-vmbh-hbge
3
vulnerability VCID-f173-31n6-73fu
4
vulnerability VCID-uv9z-tvr6-7ugm
5
vulnerability VCID-v17s-qgdp-cyan
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ghost@5.59.1
aliases CVE-2023-40028, GHSA-9c9v-w225-v5rg
risk_score 10.0
exploitability 2.0
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c6w8-e895-yffy
4
url VCID-cv37-vmbh-hbge
vulnerability_id VCID-cv37-vmbh-hbge
summary Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-26980
reference_id
reference_type
scores
0
value 0.56657
scoring_system epss
scoring_elements 0.98173
published_at 2026-06-13T12:55:00Z
1
value 0.56657
scoring_system epss
scoring_elements 0.98174
published_at 2026-06-14T12:55:00Z
2
value 0.56657
scoring_system epss
scoring_elements 0.98172
published_at 2026-06-12T12:55:00Z
3
value 0.56657
scoring_system epss
scoring_elements 0.98166
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-26980
1
reference_url https://blog.xlab.qianxin.com/ghost-cms-page-poisoning-cve-2026-26980
reference_id
reference_type
scores
0
value 9.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://blog.xlab.qianxin.com/ghost-cms-page-poisoning-cve-2026-26980
2
reference_url https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91
reference_id 30868d632b2252b638bc8a4c8ebf73964592ed91
reference_type
scores
0
value 9.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:30:19Z/
url https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91
3
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52555.txt
reference_id CVE-2026-26980
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52555.txt
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-26980
reference_id CVE-2026-26980
reference_type
scores
0
value 9.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-26980
5
reference_url https://github.com/advisories/GHSA-w52v-v783-gw97
reference_id GHSA-w52v-v783-gw97
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w52v-v783-gw97
6
reference_url https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97
reference_id GHSA-w52v-v783-gw97
reference_type
scores
0
value 9.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:30:19Z/
url https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97
7
reference_url https://github.com/TryGhost/Ghost/releases/tag/v6.19.1
reference_id v6.19.1
reference_type
scores
0
value 9.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:30:19Z/
url https://github.com/TryGhost/Ghost/releases/tag/v6.19.1
fixed_packages
0
url pkg:npm/ghost@6.19.1
purl pkg:npm/ghost@6.19.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4chn-jutc-fue2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ghost@6.19.1
aliases CVE-2026-26980, GHSA-w52v-v783-gw97
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cv37-vmbh-hbge
5
url VCID-kv7x-8p66-tqf3
vulnerability_id VCID-kv7x-8p66-tqf3
summary 
Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack.

Ghost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-31133
reference_id
reference_type
scores
0
value 0.0717
scoring_system epss
scoring_elements 0.91801
published_at 2026-06-13T12:55:00Z
1
value 0.0717
scoring_system epss
scoring_elements 0.91798
published_at 2026-06-14T12:55:00Z
2
value 0.0717
scoring_system epss
scoring_elements 0.91764
published_at 2026-06-11T12:55:00Z
3
value 0.0717
scoring_system epss
scoring_elements 0.91793
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-31133
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-31133
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-31133
2
reference_url https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90
reference_id b3caf16005289cc9909488391b4a26f3f4a66a90
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-29T14:53:14Z/
url https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90
3
reference_url https://github.com/advisories/GHSA-r97q-ghch-82j9
reference_id GHSA-r97q-ghch-82j9
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r97q-ghch-82j9
4
reference_url https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9
reference_id GHSA-r97q-ghch-82j9
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-29T14:53:14Z/
url https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9
5
reference_url https://github.com/TryGhost/Ghost/releases/tag/v5.46.1
reference_id v5.46.1
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-29T14:53:14Z/
url https://github.com/TryGhost/Ghost/releases/tag/v5.46.1
fixed_packages
0
url pkg:npm/ghost@5.46.1
purl pkg:npm/ghost@5.46.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3u5f-347g-a7cz
1
vulnerability VCID-744d-rhkz-87fp
2
vulnerability VCID-c6w8-e895-yffy
3
vulnerability VCID-cv37-vmbh-hbge
4
vulnerability VCID-f173-31n6-73fu
5
vulnerability VCID-uv9z-tvr6-7ugm
6
vulnerability VCID-v17s-qgdp-cyan
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ghost@5.46.1
aliases CVE-2023-31133, GHSA-r97q-ghch-82j9
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kv7x-8p66-tqf3
6
url VCID-uv9z-tvr6-7ugm
vulnerability_id VCID-uv9z-tvr6-7ugm
summary Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29053
reference_id
reference_type
scores
0
value 0.0003
scoring_system epss
scoring_elements 0.09327
published_at 2026-06-12T12:55:00Z
1
value 0.0003
scoring_system epss
scoring_elements 0.09318
published_at 2026-06-14T12:55:00Z
2
value 0.0003
scoring_system epss
scoring_elements 0.09328
published_at 2026-06-13T12:55:00Z
3
value 0.0003
scoring_system epss
scoring_elements 0.09276
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29053
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29053
reference_id CVE-2026-29053
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29053
2
reference_url https://github.com/advisories/GHSA-cgc2-rcrh-qr5x
reference_id GHSA-cgc2-rcrh-qr5x
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cgc2-rcrh-qr5x
3
reference_url https://github.com/TryGhost/Ghost/security/advisories/GHSA-cgc2-rcrh-qr5x
reference_id GHSA-cgc2-rcrh-qr5x
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
1
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-05T15:29:20Z/
url https://github.com/TryGhost/Ghost/security/advisories/GHSA-cgc2-rcrh-qr5x
fixed_packages
0
url pkg:npm/ghost@6.19.1
purl pkg:npm/ghost@6.19.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4chn-jutc-fue2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ghost@6.19.1
aliases CVE-2026-29053, GHSA-cgc2-rcrh-qr5x
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uv9z-tvr6-7ugm
7
url VCID-v17s-qgdp-cyan
vulnerability_id VCID-v17s-qgdp-cyan
summary Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-23725
reference_id
reference_type
scores
0
value 0.00114
scoring_system epss
scoring_elements 0.29831
published_at 2026-06-12T12:55:00Z
1
value 0.00114
scoring_system epss
scoring_elements 0.29833
published_at 2026-06-14T12:55:00Z
2
value 0.00114
scoring_system epss
scoring_elements 0.29848
published_at 2026-06-13T12:55:00Z
3
value 0.00114
scoring_system epss
scoring_elements 0.29634
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-23725
1
reference_url https://github.com/yunaycompany/Ghost/commit/64d67717f7c76c77b3908e15627f473e9ef34002
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/yunaycompany/Ghost/commit/64d67717f7c76c77b3908e15627f473e9ef34002
2
reference_url https://github.com/TryGhost/Ghost/pull/17190
reference_id 17190
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:35:42Z/
url https://github.com/TryGhost/Ghost/pull/17190
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-23725
reference_id CVE-2024-23725
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-23725
4
reference_url https://github.com/advisories/GHSA-fh38-9fgr-454w
reference_id GHSA-fh38-9fgr-454w
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fh38-9fgr-454w
5
reference_url https://github.com/TryGhost/Ghost/releases/tag/v5.76.0
reference_id v5.76.0
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:35:42Z/
url https://github.com/TryGhost/Ghost/releases/tag/v5.76.0
fixed_packages
0
url pkg:npm/ghost@5.76.0
purl pkg:npm/ghost@5.76.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3u5f-347g-a7cz
1
vulnerability VCID-744d-rhkz-87fp
2
vulnerability VCID-cv37-vmbh-hbge
3
vulnerability VCID-f173-31n6-73fu
4
vulnerability VCID-uv9z-tvr6-7ugm
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ghost@5.76.0
aliases CVE-2024-23725, GHSA-fh38-9fgr-454w
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v17s-qgdp-cyan
Fixing_vulnerabilities
0
url VCID-wq3c-84ce-c3hz
vulnerability_id VCID-wq3c-84ce-c3hz
summary An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-41654
reference_id
reference_type
scores
0
value 0.00297
scoring_system epss
scoring_elements 0.53537
published_at 2026-06-12T12:55:00Z
1
value 0.00297
scoring_system epss
scoring_elements 0.53539
published_at 2026-06-14T12:55:00Z
2
value 0.00297
scoring_system epss
scoring_elements 0.5341
published_at 2026-06-11T12:55:00Z
3
value 0.00297
scoring_system epss
scoring_elements 0.53552
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-41654
1
reference_url https://forum.ghost.org/t/security-update-available-for-ghost-4-48-7-and-5-22-6/34475
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://forum.ghost.org/t/security-update-available-for-ghost-4-48-7-and-5-22-6/34475
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-41654
reference_id CVE-2022-41654
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-41654
3
reference_url https://github.com/advisories/GHSA-9gh8-wp53-ccc6
reference_id GHSA-9gh8-wp53-ccc6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9gh8-wp53-ccc6
4
reference_url https://github.com/TryGhost/Ghost/security/advisories/GHSA-9gh8-wp53-ccc6
reference_id GHSA-9gh8-wp53-ccc6
reference_type
scores
0
value 9.6
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-14T18:08:07Z/
url https://github.com/TryGhost/Ghost/security/advisories/GHSA-9gh8-wp53-ccc6
5
reference_url https://talosintelligence.com/vulnerability_reports/TALOS-2022-1624
reference_id TALOS-2022-1624
reference_type
scores
0
value 9.6
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-14T18:08:07Z/
url https://talosintelligence.com/vulnerability_reports/TALOS-2022-1624
fixed_packages
0
url pkg:npm/ghost@4.48.8
purl pkg:npm/ghost@4.48.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-322u-tcye-huf9
1
vulnerability VCID-3u5f-347g-a7cz
2
vulnerability VCID-744d-rhkz-87fp
3
vulnerability VCID-c6w8-e895-yffy
4
vulnerability VCID-cv37-vmbh-hbge
5
vulnerability VCID-kv7x-8p66-tqf3
6
vulnerability VCID-uv9z-tvr6-7ugm
7
vulnerability VCID-v17s-qgdp-cyan
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ghost@4.48.8
1
url pkg:npm/ghost@5.22.7
purl pkg:npm/ghost@5.22.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-322u-tcye-huf9
1
vulnerability VCID-3u5f-347g-a7cz
2
vulnerability VCID-744d-rhkz-87fp
3
vulnerability VCID-c6w8-e895-yffy
4
vulnerability VCID-cv37-vmbh-hbge
5
vulnerability VCID-kv7x-8p66-tqf3
6
vulnerability VCID-uv9z-tvr6-7ugm
7
vulnerability VCID-v17s-qgdp-cyan
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ghost@5.22.7
aliases CVE-2022-41654, GHSA-9gh8-wp53-ccc6, GMS-2022-7409
risk_score 4.3
exploitability 0.5
weighted_severity 8.6
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wq3c-84ce-c3hz
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/ghost@5.22.7