Impact
This vulnerability is a partial bypass of filter validation on Ghost’s public API endpoints, allowing attackers to iteratively query for disabled or private fields and expose them. When SQLite is used as the back‑end, the exposed fields include full password hashes, granting the attacker direct access to authentication data. With MySQL, the hash case is lost, reducing the usefulness of the data but still revealing the existence of passwords.
Affected Systems
TryGhost Ghost, versions from 5.46.1 up to and including 6.21.2, are affected. The fix was introduced in 6.21.2.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate risk level. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the exposed public API; attackers need an environment that enables sending filter queries and can perform brute‑force enumeration of fields. Successful exploitation leads to unauthorized exposure of private data, particularly password hashes, hence a confidentiality impact.
OpenCVE Enrichment