Description
Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0.
Published: 2026-01-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote data exfiltration via SSRF using valid staff API tokens
Action: Patch immediately
AI Analysis

Impact

Ghost 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3 allow a staff user who holds a valid authentication token for the Ghost Admin API to craft media requests that the server will forward to arbitrary URLs. This Server‑Side Request Forgery enables the attacker to read data from internal network hosts or servers that would otherwise be unreachable from the Internet, thereby compromising confidentiality of internal resources.

Affected Systems

TryGhost Ghost content management system is affected. The vulnerability exists in all releases from 5.38.0 up to and including 5.130.5 and from 6.0.0 up to 6.10.3. The issue was fixed in Ghost 5.130.6 and 6.11.0.

Risk and Exploitability

The base CVSS score is 5.1, indicating moderate severity. EPSS is below 1 %, suggesting a low probability that the vulnerability is actively exploited, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an API request that includes a media URL, leveraging a stolen or compromised staff API token. Exploitability requires the attacker to obtain a valid token, after which the SSRF can be used to exfiltrate internal data with relative ease. The overall risk remains moderate, but the low exploitation probability mitigates the urgency somewhat.

Generated by OpenCVE AI on April 18, 2026 at 07:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ghost to at least version 5.130.6 or 6.11.0 to apply the official fix.
  • If an immediate upgrade is not possible, disable external media inlining or restrict it to a whitelist of trusted domains through Ghost configuration settings.
  • Apply network segmentation or firewall rules that block Ghost’s internal endpoints from reaching internal IP ranges used for sensitive services, preventing SSRF traffic to those networks.

Generated by OpenCVE AI on April 18, 2026 at 07:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vmc4-9828-r48r Ghost has SSRF via External Media Inliner
History

Thu, 15 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Mon, 12 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Ghost
Ghost ghost
Vendors & Products Ghost
Ghost ghost

Sat, 10 Jan 2026 03:15:00 +0000

Type Values Removed Values Added
Description Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0.
Title Ghost has SSRF via External Media Inliner
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Ghost Ghost
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T16:23:47.163Z

Reserved: 2026-01-07T21:50:39.532Z

Link: CVE-2026-22597

cve-icon Vulnrichment

Updated: 2026-01-12T15:33:47.677Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T03:15:50.860

Modified: 2026-01-15T18:36:01.117

Link: CVE-2026-22597

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses