Ghost, the popular Node.js content management system, suffered from a defect in CSRF protection surrounding the /session/verify endpoint. From version 5.101.6 through 6.19.2, the implementation allowed one‑time tokens (OTCs) issued in one user session to be used in a different login session. This flaw permits an attacker who is able to submit a forged HTTP request—typically by hosting a malicious page that submits a form or script on behalf of a logged‑in user—to trick the victim into re‑using an OTC that was created for a distinct session. The result is that the attacker can assume control of the victim’s Ghost site session, effectively performing a full account takeover. The weakness is a classic CSRF flaw (CWE‑352).

Affected products are Ghost content‑management systems by TryGhost. Any deployment running Ghost versions from 5.101.6 up to and including 6.19.2 is vulnerable. Versions 6.19.3 and later contain the fix and are not affected.

The CVSS score is 7.5, indicating a high‑severity vulnerability. EPSS shows a probability of exploitation lower than 1 %, suggesting currently low but non‑zero likelihood. The flaw is not listed in the CISA KEV catalog. Because the issue exploits a CSRF weakness, the attack vector is likely cross‑site request forgery—an attacker can lure a logged‑in user to load a malicious webpage that submits a request to /session/verify with an OTC from the user’s browser. The attacker needs only to get the victim to interact with a site under their control, making the exploit possible from any location. Although it does not lead directly to code execution, an attacker who gains a site session can modify content, install plugins, or access administrative functions, effectively taking over the Ghost site.