Skip to main content

Ghost EUVDEUVD-2026-39019

| CVE-2026-53950 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
6.9 MEDIUM

Network-delivered via federation (AV:N) but needs an attacker-run malicious server plus victim viewing (AC:H, UI:R); script escapes into the user's browser session (S:C, C:H), limited integrity impact and no real availability loss (A:N).

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 20:03 EUVD
Analysis Generated
Jun 24, 2026 - 19:17 vuln.today

DescriptionCVE.org

@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0.

AnalysisAI

Cross-site scripting (JavaScript injection) in Ghost's ActivityPub client (@tryghost/activitypub) prior to version 3.1.0 allows a malicious federated server to embed attacker-controlled script in shared posts that executes in the browser of a victim Ghost user who views the content. The flaw stems from improper sanitization of post content received over ActivityPub federation, enabling session theft or actions performed in the victim's authenticated context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Stand up malicious ActivityPub server
Delivery
Federate with target Ghost instance
Exploit
Craft post with embedded JavaScript
Execution
Victim views shared post in client
Persist
Injected script executes in browser session
Impact
Steal session or act as user

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker control a maliciously customized ActivityPub server and that the victim Ghost instance (prior to 3.1.0) federate with or consume posts from that server - federation must be enabled and the victim must follow/receive the attacker's content. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.5 (High) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up or customizes an ActivityPub server and crafts a post containing embedded JavaScript, then ensures a victim Ghost instance federates with or follows that server. When a Ghost user opens or views the shared malicious post in the ActivityPub client, the injected script runs in their authenticated browser session, potentially exfiltrating session tokens or performing actions as that user. …
Remediation Upgrade the Ghost ActivityPub client (@tryghost/activitypub) to version 3.1.0 or later, which contains the fix; this is the primary and recommended remediation per the vendor advisory at https://github.com/TryGhost/Ghost/security/advisories/GHSA-xpp7-93x6-v29m. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Ghost deployments and identify which have @tryghost/activitypub enabled (versions prior to 3.1.0) and document connected federated servers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Ghost

View all
CVE-2022-28397 CRITICAL POC
9.8 Apr 12

An arbitrary file upload vulnerability in the file upload module of Ghost CMS v4.42.0 allows attackers to execute arbitr

CVE-2022-27139 CRITICAL POC
9.8 Apr 12

An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary

CVE-2024-34451 CRITICAL POC
9.1 Jun 16

Ghost through 5.85.1 allows remote attackers to bypass an authentication rate-limit protection mechanism by using many X

CVE-2024-23724 CRITICAL POC
9.0 Feb 11

Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any acco

CVE-2024-34448 HIGH POC
8.8 May 22

Ghost before 5.82.0 allows CSV Injection during a member CSV export. Rated high severity (CVSS 8.8), this vulnerability

CVE-2020-8134 HIGH POC
8.1 Mar 20

Server-side request forgery (SSRF) vulnerability in Ghost CMS < 3.10.0 allows an attacker to scan local or external netw

CVE-2023-32235 HIGH POC
7.5 May 05

Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2

CVE-2021-29484 MEDIUM POC
6.8 Apr 29

Ghost is a Node.js CMS. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication

CVE-2023-40028 MEDIUM POC
6.5 Aug 15

Ghost is an open source content management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely expl

CVE-2025-9862 MEDIUM POC
6.1 Sep 17

Server-Side Request Forgery (SSRF) vulnerability in Ghost allows an attacker to access internal resources.0.0 through 6.

CVE-2026-53943 CRITICAL
9.6 Jun 24

Web cache poisoning in the Ghost Node.js CMS before 6.37.0 lets an unauthenticated attacker inject an x-ghost-preview he

CVE-2022-41697 MEDIUM POC
5.3 Dec 22

A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. Rated medium severit

Share

EUVD-2026-39019 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy