Description
@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Ghost activitypub client is compromised by a missing sanitisation step that allows a malicious ActivityPub server to embed executable JavaScript in a post. When a user opens or views that post within Ghost, the script runs in the context of the victim's browser, leading to a classic cross‑site scripting flaw. This allows an attacker to steal session cookies, deface pages, or perform actions on behalf of the user without their knowledge.

Affected Systems

Ghost versions before 3.1.0 are affected. The vulnerability exists in the activitypub client module bundled with those releases. Organisations running TryGhost Ghost 2.x or any 3.x release earlier than 3.1.0 are therefore at risk. No later versions are vulnerable.

Risk and Exploitability

The CVSS base score is 7.5, indicating a high severity. EPSS is not available, so the current probability of exploitation is unknown, but the flaw can be triggered by any external ActivityPub server that a user has chosen to subscribe to. The CVE is not listed in CISA’s KEV catalog, suggesting no validated or widespread attacks have been reported yet, but the typical impact window of XSS means that attackers can exploit the flaw once content is received. The advisory does not provide a workaround, so the only viable mitigation is to upgrade to a patched release.

Generated by OpenCVE AI on June 24, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghost to version 3.1.0 or later, which contains the input sanitisation fix for the ActivityPub client.
  • Temporarily disable or restrict federation with untrusted ActivityPub servers until the patch is applied to reduce the attack surface.
  • Deploy a web‑application fire‑wall or content‑security‑policy that blocks inline scripts and alerts on unexpected script tags in ActivityPub payloads.

Generated by OpenCVE AI on June 24, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Ghost
Ghost ghost
Vendors & Products Ghost
Ghost ghost

Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description @tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0.
Title @tryghost/activitypub: XSS in Ghost's ActivityPub client
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T18:49:55.010Z

Reserved: 2026-06-11T15:50:01.281Z

Link: CVE-2026-53950

cve-icon Vulnrichment

Updated: 2026-06-24T18:49:52.457Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')