Impact
The Ghost activitypub client is compromised by a missing sanitisation step that allows a malicious ActivityPub server to embed executable JavaScript in a post. When a user opens or views that post within Ghost, the script runs in the context of the victim's browser, leading to a classic cross‑site scripting flaw. This allows an attacker to steal session cookies, deface pages, or perform actions on behalf of the user without their knowledge.
Affected Systems
Ghost versions before 3.1.0 are affected. The vulnerability exists in the activitypub client module bundled with those releases. Organisations running TryGhost Ghost 2.x or any 3.x release earlier than 3.1.0 are therefore at risk. No later versions are vulnerable.
Risk and Exploitability
The CVSS base score is 7.5, indicating a high severity. EPSS is not available, so the current probability of exploitation is unknown, but the flaw can be triggered by any external ActivityPub server that a user has chosen to subscribe to. The CVE is not listed in CISA’s KEV catalog, suggesting no validated or widespread attacks have been reported yet, but the typical impact window of XSS means that attackers can exploit the flaw once content is received. The advisory does not provide a workaround, so the only viable mitigation is to upgrade to a patched release.
OpenCVE Enrichment