Description
Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.
Published: 2026-03-05
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Ghost, a Node.js Content Management System, contains a vulnerability that allows attackers to execute arbitrary code on the server by deploying specially crafted malicious themes. The flaw is a form of improper input handling, aligning with CWE-74. When a theme is installed, the CMS fails to validate the theme’s contents, enabling attackers to run code with the privileges of the Ghost process.

Affected Systems

This issue affects Ghost versions from 0.7.2 through 6.19.0, inclusive. The vendor responsible for this product is TryGhost, and the component is the Ghost CMS running on Node.js. The vulnerability was patched in Ghost version 6.19.1 and later releases.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity level, while an EPSS score of less than 1% indicates a low probability of exploitation at the time of this analysis. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, it is inferred that attackers who can upload or install a theme to an affected Ghost instance – for example by using the administrative interface or by directly placing theme files – may leverage the flaw to run arbitrary code on the host. The impact can be wide‑range, including full system compromise, data exfiltration, or lateral movement within the network.

Generated by OpenCVE AI on April 17, 2026 at 12:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghost to version 6.19.1 or later to apply the vendor patch.
  • Delete or replace any user‑installed themes that are not from a trusted source, especially those uploaded prior to 6.19.1.
  • Enforce strict role‑based access control so that only authorized administrators can upload or modify themes, thereby limiting the attack surface.

Generated by OpenCVE AI on April 17, 2026 at 12:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cgc2-rcrh-qr5x Ghost Vulnerable to Remote Code Execution via Malicious Themes
History

Mon, 09 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ghost
Ghost ghost
Vendors & Products Ghost
Ghost ghost

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.
Title Ghost Vulnerable to Remote Code Execution via Malicious Themes
Weaknesses CWE-74
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Ghost Ghost
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-05T15:29:27.533Z

Reserved: 2026-03-03T17:50:11.244Z

Link: CVE-2026-29053

cve-icon Vulnrichment

Updated: 2026-03-05T15:29:24.112Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T06:16:50.410

Modified: 2026-03-09T18:40:22.160

Link: CVE-2026-29053

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:12Z

Weaknesses