CVE-2026-53944
Received Received - Intake
Ghost CMS IPv6 Bypass Allows Internal Service Access

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53944
EUVD
EUVD-2026-39025
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ghost ghost to 6.21.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the vulnerability CVE-2026-53944 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects the Ghost content management system versions from 6.0.9 up to 6.21.1. It allows an attacker to bypass the IP filter that is designed to prevent external requests from reaching internal services. The bypass is possible by using an IPv6 literal address that maps to a private IPv4 address, effectively circumventing the intended IP filtering mechanism.

Impact Analysis

The vulnerability can lead to unauthorized access to internal services by bypassing IP filtering controls. This could allow an attacker to send requests to internal services that should be protected, potentially leading to information disclosure or manipulation of internal resources.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Ghost to version 6.21.1 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart