Ghost Support & Health

Security

Known Vulnerabilities

10 active CVEs reported via OSV.dev

GHSA-5fp7-g646-ccf4 CVSS_V3

Ghost has Staff 2FA bypass

Published: 2026-01-08 Fixed in: 6.11.0

GHSA-65p7-pjj8-ggmr CVSS_V3

Member account takeover

Published: 2021-09-23 Fixed in: 3.42.6

GHSA-78x2-cwp9-5j42 CVSS_V3

Ghost's improper authentication allows access to member information and actions

Published: 2024-08-20 Fixed in: 5.89.5

GHSA-7v28-g2pq-ggg8 CVSS_V3

Ghost vulnerable to remote code execution in locale setting change

Published: 2022-06-17 Fixed in: 4.48.2

GHSA-99vc-xw8j-phjm CVSS_V3

Ghost has possible Cross-site Scripting issue

Published: 2024-02-11 No fix available

GHSA-9c9v-w225-v5rg CVSS_V3

Ghost vulnerable to arbitrary file read via symlinks in content import

Published: 2023-08-15 Fixed in: 5.59.1

GHSA-9fgx-q25h-jxrg CVSS_V3

DOM XSS in Theme Preview

Published: 2021-04-29 Fixed in: 4.3.3

GHSA-9gh8-wp53-ccc6 CVSS_V3

ghost vulnerable to unauthorized newsletter modification via improper access controls

Published: 2022-11-28 Fixed in: 5.22.7

GHSA-9m84-wc28-w895 CVSS_V3

Ghost has incomplete CSRF protections around OTC use

Published: 2026-03-05 Fixed in: 6.19.3

GHSA-9xg7-mwmp-xmjx CVSS_V3

Ghost has Staff Token permission bypass

Published: 2026-01-08 Fixed in: 6.11.0