CVE-2026-53946
Received Received - Intake
Ghost CMS Remote Image Fetching Vulnerability Leading to Server-Side Request Forgery

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, when re-rendering posts, Ghost would refetch missing image dimensions by issuing an outbound HTTP request to the URL stored on an image card β€” without restricting that URL to trusted image hosts. An authenticated staff user able to create or edit posts could therefore point an image card at an attacker-chosen host and cause the Ghost server to request it on their behalf, including hosts on internal networks or cloud instance metadata endpoints that would not normally be reachable from the public internet. This vulnerability is fixed in 6.21.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53946
EUVD
EUVD-2026-39023
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ghost ghost From 6.19.4 (inc) to 6.21.1 (inc)
ghost ghost 6.21.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability allows an authenticated staff user to make the Ghost server perform HTTP requests to arbitrary URLs, including internal network resources or cloud metadata endpoints. This can lead to unauthorized access to sensitive internal services or data that are not normally exposed externally. It may also enable attackers to gather information about the internal network or cloud environment, potentially facilitating further attacks.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Ghost to version 6.21.1 or later, where the issue is fixed.

Additionally, restrict the URLs used in image cards to trusted image hosts to prevent the server from making unauthorized outbound HTTP requests.

Executive Summary

This vulnerability affects the Ghost content management system versions from 6.19.4 to 6.21.1. When re-rendering posts, Ghost would attempt to fetch missing image dimensions by making an outbound HTTP request to the URL specified on an image card. However, it did not restrict these URLs to trusted image hosts. As a result, an authenticated staff user who can create or edit posts could insert an image card pointing to an attacker-controlled host. This would cause the Ghost server to make HTTP requests to that host on behalf of the attacker, including potentially accessing internal network hosts or cloud instance metadata endpoints that are normally inaccessible from the public internet.

Compliance Impact

CVE-2026-53946 is a Server-Side Request Forgery (SSRF) vulnerability that could allow an authenticated staff user to cause the Ghost server to make HTTP requests to attacker-controlled or internal network hosts, potentially leading to unauthorized access to internal resources or sensitive data.

Such unauthorized access to sensitive data could have implications for compliance with standards and regulations like GDPR or HIPAA, which require protection of personal and sensitive information. However, the provided information does not explicitly detail the impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart