Ghost

By the Year

In 2026 there have been 0 vulnerabilities in Ghost. Last year, in 2025 Ghost had 1 security vulnerability published. Right now, Ghost is on track to have less security vulnerabilities in 2026 than it did last year.

Recent Ghost Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-9862	Sep 17, 2025	Ghost SSRF (6.0.0–6.0.8,5.99–5.130.3) – vulnerable HTTP client Server-Side Request Forgery (SSRF) vulnerability in Ghost allows an attacker to access internal resources.This issue affects Ghost: from 6.0.0 through 6.0.8, from 5.99.0 through 5.130.3.	Ghost
CVE-2024-43409	Aug 20, 2024	Ghost CMS v4.46.0v5.89.4 Improper Auth Enables Member Actions Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue.	Ghost
CVE-2024-34451	Jun 16, 2024	Ghost <=5.85.1 Auth RateLimit Bypass via XFF Headers Ghost through 5.85.1 allows remote attackers to bypass an authentication rate-limit protection mechanism by using many X-Forwarded-For headers with different values. NOTE: the vendor's position is that Ghost should be installed with a reverse proxy that allows only trusted X-Forwarded-For headers.	Ghost
CVE-2024-34448	May 22, 2024	Ghost <5.82.0 CSV Injection in Member CSV Export Ghost before 5.82.0 allows CSV Injection during a member CSV export.	Ghost
CVE-2024-34559	May 14, 2024	Ghost <=1.4.0 Sensitive Data Logged Vulnerability Insertion of Sensitive Information into Log File vulnerability in Ghost Foundation Ghost.This issue affects Ghost: from n/a through 1.4.0.	Ghost
CVE-2024-23724	Feb 11, 2024	Stored XSS in Ghost CMS 5.x via SVG picture bypass ACL on localhost:3001 Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view this as a valid vector."	Ghost
CVE-2024-23725	Jan 21, 2024	Ghost <5.76.0 XSS via post excerpt in excerpt.js Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries.	Ghost
CVE-2023-40028	Aug 15, 2023	Ghost CMS Arbitrary File Read via Symlink Upload <5.59.1 Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder. Version 5.59.1 contains a fix for this issue. All users are advised to upgrade. There are no known workarounds for this vulnerability.	Ghost
CVE-2023-31133	May 08, 2023	Ghost <=5.46.0 API filter validation flaw (CVE-2023-31133) Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack. Ghost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`.	Ghost
CVE-2023-32235	May 05, 2023	Ghost <5.42.1 Arbitrary File Read via static-theme.js dir traversal Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.	Ghost