Description
Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared caching layer that results in cached content being shared between different visitors, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend response. In affected cache configurations, that response could be stored and served to subsequent visitors requesting the same page, allowing cache poisoning of request-specific preview output. When running Ghost's frontend and admin panel on the same domain this could be used to take over staff user accounts. When running these on different domains staff accounts have no exposure. This vulnerability is fixed in 6.37.0.
Published: 2026-06-24
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ghost is a Node.js content management system that can be deployed behind a shared caching layer. An unauthenticated user may include a custom x-ghost-preview header in an HTTP request that alters the rendering of the frontend page. When the modified content is cached and subsequently served to other visitors, it results in cache poisoning and injection of arbitrary HTML or script. In configurations where the Ghost frontend and admin panel share the same domain, an attacker can leverage the injected code to hijack staff user accounts, effectively gaining elevated privileges. The weakness is classified as CWE-524, reflecting uncontrolled use of an input header to influence output.

Affected Systems

The affected product is Ghost, published by TryGhost. All releases prior to version 6.37.0 are impacted; the issue is resolved in Ghost 6.37.0 and later.

Risk and Exploitability

The vulnerability has a CVSS score of 9.6, indicating a high severity level. No EPSS score is reported and the vulnerability is not listed in CISA KEV. An attacker can exploit it without authentication by sending a crafted HTTP request bearing the x-ghost-preview header; the attack requires the presence of a shared caching mechanism that stores and serves dynamic preview pages across users. If the frontend and admin share the same domain, the resulting cache poisoning enables privilege escalation to staff accounts, presenting a significant risk to both confidentiality and integrity of the system.

Generated by OpenCVE AI on June 24, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghost to version 6.37.0 or later.
  • If an immediate upgrade is not feasible, disable or reconfigure any shared caching between the frontend and admin sections so that content is not cached across users.
  • When possible, host the frontend and admin panel on separate domains or origins to prevent attackers from compromising staff accounts via cached XSS injection.

Generated by OpenCVE AI on June 24, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-62q6-4hv4-vjrw Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header
History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Ghost
Ghost ghost
Vendors & Products Ghost
Ghost ghost

Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared caching layer that results in cached content being shared between different visitors, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend response. In affected cache configurations, that response could be stored and served to subsequent visitors requesting the same page, allowing cache poisoning of request-specific preview output. When running Ghost's frontend and admin panel on the same domain this could be used to take over staff user accounts. When running these on different domains staff accounts have no exposure. This vulnerability is fixed in 6.37.0.
Title Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header
Weaknesses CWE-524
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T18:48:56.416Z

Reserved: 2026-06-11T15:50:01.280Z

Link: CVE-2026-53943

cve-icon Vulnrichment

Updated: 2026-06-24T18:41:08.971Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses
  • CWE-524

    Use of Cache Containing Sensitive Information