Search for packages
| purl | pkg:npm/ghost@3.29.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-322u-tcye-huf9
Aliases: CVE-2023-32235 GHSA-wf7x-fh6w-34r6 |
Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js. |
Affected by 7 other vulnerabilities. |
|
VCID-744d-rhkz-87fp
Aliases: CVE-2024-23724 GHSA-99vc-xw8j-phjm |
Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view this as a valid vector." | There are no reported fixed by versions. |
|
VCID-c6w8-e895-yffy
Aliases: CVE-2023-40028 GHSA-9c9v-w225-v5rg |
Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder. Version 5.59.1 contains a fix for this issue. All users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 6 other vulnerabilities. |
|
VCID-cncs-9zzp-q7b1
Aliases: GHSA-wfrj-qqc2-83cm GMS-2021-182 |
Remote command injection when using sendmail email transport ### Impact Sites using the `sendmail` transport as part of their `mail` config are vulnerable to remote command injection due to a [vulnerability](https://github.com/advisories/GHSA-48ww-j4fc-435p) in the `nodemailer` dependency. Ghost defaults to the `direct` transport so this is only exploitable if the `sendmail` transport is explicitly used. ### Patches Fixed in 4.15.0, all sites should upgrade as soon as possible. ### Workarounds * Use an alternative email transport as described in the [docs](https://ghost.org/docs/config/#mail). ### For more information If you have any questions or comments about this advisory: * email us at security@ghost.org |
Affected by 8 other vulnerabilities. |
|
VCID-cv37-vmbh-hbge
Aliases: CVE-2026-26980 GHSA-w52v-v783-gw97 |
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1. |
Affected by 1 other vulnerability. |
|
VCID-kv7x-8p66-tqf3
Aliases: CVE-2023-31133 GHSA-r97q-ghch-82j9 |
Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack. Ghost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`. |
Affected by 7 other vulnerabilities. |
|
VCID-s9t5-skgx-u3hw
Aliases: GHSA-65p7-pjj8-ggmr GMS-2021-181 |
Member account takeover ### Impact An error in the implementation of the member email change functionality allows unauthenticated users to change the email address of arbitrary member accounts to one they control by crafting a request to the relevant API endpoint, and validating the new address via magic link sent to the new email address. Ghost(Pro) has already been patched. Self-hosters are impacted if running Ghost a version between 3.18.0 and 4.15.0 with members functionality enabled. ### Patches Fixed in 4.15.1, all 4.x sites should upgrade as soon as possible. Fixed in 3.42.6, all 3.x sites should upgrade as soon as possible. ### Workarounds The patch in 4.15.1 and 3.42.6 adds a new authenticated endpoint for updating member email addresses. Updating Ghost is the quickest complete solution. As a workaround, if for any reason you cannot update your Ghost instance, you can block the `POST /members/api/send-magic-link/` endpoint, which will also disable member login and signup for your site. ### For more information If you have any questions or comments about this advisory: * Email us at [security@ghost.org](mailto:security@ghost.org) |
Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-uv9z-tvr6-7ugm
Aliases: CVE-2026-29053 GHSA-cgc2-rcrh-qr5x |
Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1. |
Affected by 1 other vulnerability. |
|
VCID-v17s-qgdp-cyan
Aliases: CVE-2024-23725 GHSA-fh38-9fgr-454w |
Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries. |
Affected by 5 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||