Ghost: >> Ghost >> 5.130.6 Security Vulnerabilities
Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-03-07
Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.
CVSS Score
7.6
EPSS Score
0.0
Published
2026-03-05
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
CVSS Score
9.4
EPSS Score
0.001
Published
2026-02-20