Description
Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version.
Published: 2026-01-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via cross‑site scripting
Action: Patch immediately
AI Analysis

Impact

A stored cross‑site scripting flaw allows an attacker to create a malicious portal preview link that runs arbitrary JavaScript with the permissions of any authenticated staff or member who opens it, potentially enabling account takeover. This is a classic reflected XSS weakness classified as CWE‑79, and it requires the victim to interact with the crafted link while being logged in. The impact is the execution of code in the context of the authenticated user, preserving the attacker’s privileges within the system.

Affected Systems

Ghost CMS versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, along with Ghost Portal component versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0, are vulnerable. For Ghost 5.x users, upgrading to v5.121.0 or later (which includes Portal v2.51.5) resolves the issue; for Ghost 6.x users, upgrading to v6.15.0 or later (which includes Portal v2.57.1) is required. Installations that use a custom or self‑hosted portal must rebuild or update the portal to the latest patched version.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% reflects a low but not negligible likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, so no confirmed public exploits are known. Attackers need an authenticated session and the victim must click the malicious link, but once executed the script runs with the victim's user rights, enabling further compromise of the account and potentially the broader platform.

Generated by OpenCVE AI on April 18, 2026 at 01:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ghost core to a patched release (v5.121.0+ for 5.x or v6.15.0+ for 6.x).
  • For installations with a custom or self‑hosted portal, rebuild or update the portal to the latest patched version (v2.57.1 or newer).
  • Apply a strong Content‑Security‑Policy on the portal to block injected scripts until a permanent fix is deployed.

Generated by OpenCVE AI on April 18, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gv6q-2m97-882h Ghost vulnerable to XSS via malicious Portal preview links
History

Mon, 02 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ghost portal
CPEs cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*
cpe:2.3:a:ghost:portal:*:*:*:*:*:node.js:*:*
Vendors & Products Ghost portal

Wed, 28 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Ghost
Ghost ghost
Vendors & Products Ghost
Ghost ghost

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version.
Title Ghost vulnerable to XSS via malicious Portal preview links
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Ghost Ghost Portal
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-28T21:11:19.164Z

Reserved: 2026-01-26T21:06:47.869Z

Link: CVE-2026-24778

cve-icon Vulnrichment

Updated: 2026-01-28T21:11:15.734Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T22:15:57.097

Modified: 2026-02-02T15:21:41.313

Link: CVE-2026-24778

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses