FKIE_CVE-2026-24778

Vulnerability from fkie_nvd - Published: 2026-01-27 22:15 - Updated: 2026-02-02 15:21
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version.
References
security-advisories@github.comhttps://github.com/TryGhost/Ghost/commit/da858e640e88e69c1773a7b7ecdc2008fa143849Patch
security-advisories@github.comhttps://github.com/TryGhost/Ghost/security/advisories/GHSA-gv6q-2m97-882hVendor Advisory
Impacted products
Vendor Product Version
ghost ghost *
ghost ghost *
ghost portal *
ghost portal *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "3A161191-AE97-4B51-B99C-C5E3AE212FF2",
              "versionEndExcluding": "5.121.0",
              "versionStartIncluding": "5.43.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "20D558C0-11D9-467C-9D0B-0FA15D19637E",
              "versionEndExcluding": "6.15.0",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ghost:portal:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "30E5D4C3-A2BD-4816-AFAB-187DB71D3FFB",
              "versionEndExcluding": "2.51.5",
              "versionStartIncluding": "2.29.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ghost:portal:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "4B387332-AE38-4C8E-BCBE-DD669474AA9E",
              "versionEndExcluding": "2.57.1",
              "versionStartIncluding": "2.52.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim\u0027s permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version."
    },
    {
      "lang": "es",
      "value": "Ghost es un sistema de gesti\u00f3n de contenido de c\u00f3digo abierto. En las versiones de Ghost 5.43.0 a 5.12.04 y 6.0.0 a 6.14.0, un atacante pudo crear un enlace malicioso que, cuando era accedido por un usuario de personal o miembro autenticado, ejecutar\u00eda JavaScript con los permisos de la v\u00edctima, lo que podr\u00eda llevar a la toma de control de la cuenta. Las versiones de Ghost Portal 2.29.1 a 2.51.4 y 2.52.0 a 2.57.0 eran vulnerables a este problema. Ghost carga autom\u00e1ticamente el \u00faltimo parche del componente Portal de miembros a trav\u00e9s de CDN. Para los usuarios de Ghost 5.x, actualizar a la v5.121.0 o posterior corrige la vulnerabilidad. La v5.121.0 carga Portal v2.51.5, que contiene el parche. Para los usuarios de Ghost 6.x, actualizar a la v6.15.0 o posterior corrige la vulnerabilidad. La v6.15.0 carga Portal v2.57.1, que contiene el parche. Para las instalaciones de Ghost que utilizan una versi\u00f3n personalizada o autoalojada de Portal, ser\u00e1 necesario reconstruir manualmente desde o actualizar a la \u00faltima versi\u00f3n del parche."
    }
  ],
  "id": "CVE-2026-24778",
  "lastModified": "2026-02-02T15:21:41.313",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-27T22:15:57.097",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/TryGhost/Ghost/commit/da858e640e88e69c1773a7b7ecdc2008fa143849"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-gv6q-2m97-882h"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.