Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-kv7x-8p66-tqf3
Vulnerability ID VCID-kv7x-8p66-tqf3
Aliases CVE-2023-31133
GHSA-r97q-ghch-82j9
Summary Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack. Ghost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.0717 https://api.first.org/data/v1/epss?cve=CVE-2023-31133
epss 0.0717 https://api.first.org/data/v1/epss?cve=CVE-2023-31133
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-r97q-ghch-82j9
cvssv3.1 7.5 https://github.com/TryGhost/Ghost
generic_textual HIGH https://github.com/TryGhost/Ghost
cvssv3.1 7.5 https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90
generic_textual HIGH https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90
ssvc Track https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90
cvssv3.1 7.5 https://github.com/TryGhost/Ghost/releases/tag/v5.46.1
generic_textual HIGH https://github.com/TryGhost/Ghost/releases/tag/v5.46.1
ssvc Track https://github.com/TryGhost/Ghost/releases/tag/v5.46.1
cvssv3.1 7.5 https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9
cvssv3.1_qr HIGH https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9
generic_textual HIGH https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9
ssvc Track https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-31133
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2023-31133
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-31133
https://nvd.nist.gov/vuln/detail/CVE-2023-31133
b3caf16005289cc9909488391b4a26f3f4a66a90 https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90
GHSA-r97q-ghch-82j9 https://github.com/advisories/GHSA-r97q-ghch-82j9
GHSA-r97q-ghch-82j9 https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9
v5.46.1 https://github.com/TryGhost/Ghost/releases/tag/v5.46.1
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/TryGhost/Ghost
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-29T14:53:14Z/ Found at https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/TryGhost/Ghost/releases/tag/v5.46.1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-29T14:53:14Z/ Found at https://github.com/TryGhost/Ghost/releases/tag/v5.46.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-29T14:53:14Z/ Found at https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-31133
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.91764
EPSS Score 0.0717
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:23:26.359368+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2023/31xxx/CVE-2023-31133.json 38.6.0