Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-v17s-qgdp-cyan
Vulnerability ID VCID-v17s-qgdp-cyan
Aliases CVE-2024-23725
GHSA-fh38-9fgr-454w
Summary Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00114 https://api.first.org/data/v1/epss?cve=CVE-2024-23725
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-fh38-9fgr-454w
cvssv3.1 6.1 https://github.com/TryGhost/Ghost
generic_textual MODERATE https://github.com/TryGhost/Ghost
cvssv3.1 6.1 https://github.com/TryGhost/Ghost/pull/17190
generic_textual MODERATE https://github.com/TryGhost/Ghost/pull/17190
ssvc Track https://github.com/TryGhost/Ghost/pull/17190
cvssv3.1 6.1 https://github.com/TryGhost/Ghost/releases/tag/v5.76.0
generic_textual MODERATE https://github.com/TryGhost/Ghost/releases/tag/v5.76.0
ssvc Track https://github.com/TryGhost/Ghost/releases/tag/v5.76.0
cvssv3.1 6.1 https://github.com/yunaycompany/Ghost/commit/64d67717f7c76c77b3908e15627f473e9ef34002
generic_textual MODERATE https://github.com/yunaycompany/Ghost/commit/64d67717f7c76c77b3908e15627f473e9ef34002
cvssv3.1 6.1 https://nvd.nist.gov/vuln/detail/CVE-2024-23725
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-23725
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-23725
https://github.com/yunaycompany/Ghost/commit/64d67717f7c76c77b3908e15627f473e9ef34002
17190 https://github.com/TryGhost/Ghost/pull/17190
CVE-2024-23725 https://nvd.nist.gov/vuln/detail/CVE-2024-23725
GHSA-fh38-9fgr-454w https://github.com/advisories/GHSA-fh38-9fgr-454w
v5.76.0 https://github.com/TryGhost/Ghost/releases/tag/v5.76.0
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/TryGhost/Ghost
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/TryGhost/Ghost/pull/17190
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:35:42Z/ Found at https://github.com/TryGhost/Ghost/pull/17190
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/TryGhost/Ghost/releases/tag/v5.76.0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:35:42Z/ Found at https://github.com/TryGhost/Ghost/releases/tag/v5.76.0
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/yunaycompany/Ghost/commit/64d67717f7c76c77b3908e15627f473e9ef34002
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-23725
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.29634
EPSS Score 0.00114
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-10T18:28:06.426120+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2024/23xxx/CVE-2024-23725.json 38.6.0