Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Unauthenticated network access confirmed by description; discrepancy leaks only membership existence, so C:L with no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is fixed in 6.21.1.
AnalysisAI
Ghost CMS versions 5.18.0 through 6.21.1 expose registered member email addresses to unauthenticated enumeration via observable discrepancies in the members signin endpoint responses. Any Ghost site with the members feature active is affected, allowing an attacker to silently probe whether arbitrary email addresses belong to site subscribers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Ghost site must have the members feature enabled and the signin endpoint publicly accessible - this is the default configuration for Ghost sites using subscriptions or newsletters. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.3 Medium score with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N accurately reflects the bounded real-world risk: the vulnerability is trivially exploitable over the network with no authentication or preconditions, but the impact is strictly limited to partial confidentiality loss - specifically, confirming whether an email is a registered member. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker scripted against Ghost's members signin endpoint submits a wordlist of email addresses and inspects response differences (status code, body content, or latency) to classify each address as registered or not. The resulting verified subscriber list is then used to launch targeted phishing emails impersonating the Ghost site, improving campaign credibility and click rates compared to unverified lists. … |
| Remediation | Upgrade Ghost to version 6.21.1 or later, which resolves the response discrepancy in the members signin endpoints. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Nest is a framework for building scalable Node.js server-side applications. Rated critical severity (CVSS 9.4), this vul
Remote unauthenticated attackers achieve full code execution on Paperclip AI orchestration servers (versions prior to 20
n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with
## Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. ## Vulnerabi
n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
enclave-vm JavaScript sandbox (before 2.7.0) has a critical sandbox escape. When a tool invocation fails, a host-side Er
NO_PROXY protection bypass in Axios HTTP client (versions 1.0.0-1.15.0 and ≤0.31.0) lets an attacker who controls a requ
Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec
Same weakness CWE-204 – Observable Response Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39022