CVE-2026-53946
Deferred Deferred - Pending Action

Ghost CMS Remote Image Fetching Vulnerability Leading to Server-Side Request Forgery

Vulnerability report for CVE-2026-53946, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, when re-rendering posts, Ghost would refetch missing image dimensions by issuing an outbound HTTP request to the URL stored on an image card β€” without restricting that URL to trusted image hosts. An authenticated staff user able to create or edit posts could therefore point an image card at an attacker-chosen host and cause the Ghost server to request it on their behalf, including hosts on internal networks or cloud instance metadata endpoints that would not normally be reachable from the public internet. This vulnerability is fixed in 6.21.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ghost ghost From 6.19.4 (inc) to 6.21.1 (inc)
ghost ghost 6.21.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

The vulnerability allows an authenticated staff user to make the Ghost server perform HTTP requests to arbitrary URLs, including internal network resources or cloud metadata endpoints. This can lead to unauthorized access to sensitive internal services or data that are not normally exposed externally. It may also enable attackers to gather information about the internal network or cloud environment, potentially facilitating further attacks.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Ghost to version 6.21.1 or later, where the issue is fixed.

Additionally, restrict the URLs used in image cards to trusted image hosts to prevent the server from making unauthorized outbound HTTP requests.

Executive Summary

This vulnerability affects the Ghost content management system versions from 6.19.4 to 6.21.1. When re-rendering posts, Ghost would attempt to fetch missing image dimensions by making an outbound HTTP request to the URL specified on an image card. However, it did not restrict these URLs to trusted image hosts. As a result, an authenticated staff user who can create or edit posts could insert an image card pointing to an attacker-controlled host. This would cause the Ghost server to make HTTP requests to that host on behalf of the attacker, including potentially accessing internal network hosts or cloud instance metadata endpoints that are normally inaccessible from the public internet.

Compliance Impact

CVE-2026-53946 is a Server-Side Request Forgery (SSRF) vulnerability that could allow an authenticated staff user to cause the Ghost server to make HTTP requests to attacker-controlled or internal network hosts, potentially leading to unauthorized access to internal resources or sensitive data.

Such unauthorized access to sensitive data could have implications for compliance with standards and regulations like GDPR or HIPAA, which require protection of personal and sensitive information. However, the provided information does not explicitly detail the impact on compliance with these regulations.

Detection Guidance

To detect this vulnerability on your system, you should first verify the version of the Ghost CMS you are running. Versions from 6.19.4 up to 6.21.0 are vulnerable.

You can check the Ghost version by running the following command in the Ghost installation directory:

  • ghost version

To detect potential exploitation attempts on your network, monitor outbound HTTP requests made by the Ghost server to unusual or internal IP addresses or metadata endpoints. This can be done by inspecting network logs or using network monitoring tools.

For example, on a Linux system, you can use the following command to monitor outbound HTTP requests in real-time (assuming the Ghost server runs on port 2368):

  • sudo tcpdump -i any -nn -s 0 -A 'tcp dst port 80 or tcp dst port 443 and host <ghost_server_ip>'

Additionally, reviewing Ghost application logs for unusual image URLs or requests to internal IP ranges can help identify exploitation attempts.

Ultimately, the recommended mitigation is to update Ghost to version 6.21.1 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart