Description
Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.
Published: 2026-06-24
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ghost versions 6.0.9 through 6.21.0 contain a flaw that allows an attacker to bypass the IP filter designed to prevent server-side requests to internal services. By using an IPv6 literal that maps to a private IPv4 address, the application can be tricked into sending requests to privileged internal resources. The consequence is exposure of internal network services, potential data leakage, or further lateral movement within the compromised organization.

Affected Systems

The vulnerability affects deployments of the TryGhost Ghost content management system between version 6.0.9 and 6.21.0, inclusive. All earlier versions are unaffected, and the defect is fixed in Ghost 6.21.1.

Risk and Exploitability

The CVSS score of 5.8 indicates a moderate risk; no EPSS score is available and the issue is not listed in CISA KEV. The attack vector is inferred to be remote, relying on an attacker’s ability to craft a request that provides the malicious IPv6 literal to Ghost’s request-handling logic. Successful exploitation would let an attacker compel the server to query internal endpoints, leading to potential disclosure of sensitive data or ecosystem compromise.

Generated by OpenCVE AI on June 24, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghost to version 6.21.1 or later.
  • If an upgrade cannot be performed immediately, restrict Ghost’s outbound traffic to external endpoints only—configure firewall or proxy rules to block requests to internal IP ranges, especially private IPv4 and localhost addresses.
  • Implement or enforce input validation that rejects IPv6 addresses resolving to private IPv4 addresses before the request is made, thereby neutralizing the bypass condition.

Generated by OpenCVE AI on June 24, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Ghost
Ghost ghost
Vendors & Products Ghost
Ghost ghost

Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.
Title Ghost: Private IP filtering bypass to make server-side requests to internal services
Weaknesses CWE-184
CWE-918
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T18:50:17.772Z

Reserved: 2026-06-11T15:50:01.280Z

Link: CVE-2026-53944

cve-icon Vulnrichment

Updated: 2026-06-24T18:50:14.901Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses
  • CWE-184

    Incomplete List of Disallowed Inputs

  • CWE-918

    Server-Side Request Forgery (SSRF)