Is Node.js affected by CVE-2026-29053?

A critical vulnerability in Ghost CMS (versions 0.7.2-6.19.0) allows attackers to execute arbitrary code on affected servers through malicious theme uploads. Organizations running vulnerable Ghost instances face complete server compromise, data breach, and service disruption.

CVE-2026-29053

HIGH

2026-03-05 [email protected]

GHSA-cgc2-rcrh-qr5x

7.6

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 05, 2026 - 06:16 nvd

HIGH 7.6

Description

Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.

Analysis

Arbitrary code execution in Ghost CMS versions 0.7.2 through 6.19.0 allows authenticated attackers with theme upload privileges to execute malicious code on the server by crafting specially designed theme files. The vulnerability affects Ghost installations running on Node.js and requires high privileges to exploit, though successful attacks compromise complete server integrity with confidentiality, integrity, and availability impact. …

Remediation

Within 24 hours: Identify and inventory all Ghost CMS deployments and their versions; disable theme upload functionality or restrict to administrative users only. Within 7 days: Implement compensating controls (network segmentation, WAF rules blocking suspicious theme uploads); escalate with Ghost vendor for patch timeline. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2026-29053 vulnerability details – vuln.today

Back

CVE-2026-29053

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-29053

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code