Description
Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage backends. On installations that serve uploaded files from the same origin as the site, this could have been used to facilitate stored cross-site scripting against site visitors or staff. This vulnerability is fixed in 6.21.1.
Published: 2026-06-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ghost is a Node.js content management system that exposes an Admin API file upload endpoint. From 6.19.4 through 6.21.0 the system does not verify the client‑supplied Content‑Type header. An attacker can upload a file with a chosen MIME type and have it served with that type when the storage backend is S3 or GCS. If the site serves uploaded files from the same origin, the attacker can inject malicious scripts that are stored and later executed for any user or staff who visits the site, leading to a stored cross‑site scripting vulnerability consistent with CWE‑434. The issue is fixed in Ghost 6.21.1.

Affected Systems

The issue affects TryGhost Ghost versions 6.19.4, 6.20.x, and 6.21.0. These releases are vulnerable when uploads are served from the same domain as the site. Versions prior to 6.19.4 or 6.21.1 and newer are not impacted.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires access to the Admin API file upload endpoint, typically meaning elevated user privileges. Once an attacker has such access, he can upload files with a malicious content type that will be served to site visitors, enabling stored XSS. No EPSS score is available, so the likelihood of exploitation is uncertain, but the moderate CVSS and authorized‑user requirement suggest a medium risk in environments that expose the Admin API to potential attackers.

Generated by OpenCVE AI on June 24, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch by upgrading Ghost to version 6.21.1 or newer.
  • If an immediate upgrade is not possible, restrict access to the Admin API to trusted users, limit the IP ranges that may reach the endpoint, and enforce strict MIME‑type validation on uploads.
  • Configure the storage backend to serve files from a separate domain or apply a strong Content Security Policy to mitigate potential XSS consumption.

Generated by OpenCVE AI on June 24, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Ghost
Ghost ghost
Vendors & Products Ghost
Ghost ghost

Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage backends. On installations that serve uploaded files from the same origin as the site, this could have been used to facilitate stored cross-site scripting against site visitors or staff. This vulnerability is fixed in 6.21.1.
Title Ghost: File Upload Content-Type Spoofing
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T13:17:23.333Z

Reserved: 2026-06-11T15:50:01.281Z

Link: CVE-2026-53948

cve-icon Vulnrichment

Updated: 2026-06-25T13:17:19.996Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type