Ghost

This hub aggregates every CVE we track for Ghost, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Ghost.

• CVE-2026-29784Ghost: Incomplete CSRF protections around OTC use7.5Mar 7, 2026
• CVE-2026-29053Ghost Vulnerable to Remote Code Execution via Malicious Themes7.6Mar 5, 2026
• CVE-2026-26365Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header "Connection: Transfer-Encoding" co...4.0Feb 23, 2026
• CVE-2026-26980Ghost has a SQL Injection in its Content API9.4Feb 20, 2026
• CVE-2026-24778Ghost vulnerable to XSS via malicious Portal preview links8.8Jan 27, 2026
• CVE-2026-22597Ghost has SSRF via External Media Inliner2.7Jan 10, 2026
• CVE-2026-22596Ghost has SQL Injection in Members Activity Feed6.7Jan 10, 2026
• CVE-2026-22595Ghost has Staff Token permission bypass8.1Jan 10, 2026
• CVE-2026-22594Ghost has Staff 2FA bypass8.1Jan 10, 2026
• CVE-2025-9862Ghost 6.0.6 - SSRF via oEmbed Bookmark6.5Sep 17, 2025
• CVE-2024-43409Ghost's improper authentication allows access to member information and actions6.5Aug 20, 2024
• CVE-2024-34451Ghost through 5.85.1 allows remote attackers to bypass an authentication rate-limit protection mechanism by using many X-Forwarded-For headers with different values. NOTE: the vendor's position is ...9.1Jun 16, 2024
• CVE-2024-34448Ghost before 5.82.0 allows CSV Injection during a member CSV export.8.8May 22, 2024
• CVE-2024-34559WordPress Ghost plugin <= 1.4.0 - Sensitive Data Exposure via Log File vulnerability7.5May 9, 2024
• CVE-2024-23724Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact wit...9.0Feb 11, 2024