CVE-2026-53944 | Ghost is a Node.js content management system. From 6.0.9 unt… | CVSS 5.8 MEDIUM

Description

Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.

Metadata

CVE ID: CVE-2026-53944
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-11 15:50 UTC
Published: 2026-06-24 18:10 UTC
Last updated: 2026-06-24 18:50 UTC
Primary CWE: CWE-184
CWE-184: Incomplete List of Disallowed Inputs
Vendor / Product: TryGhost / Ghost
Sources: cve.org · NVD

Severity & Metrics

5.8 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
TryGhost	Ghost	—	>= 6.0.9, < 6.21.1

Weakness (CWE)

CWE	Source	Description
CWE-184	cna	CWE-184: Incomplete List of Disallowed Inputs
CWE-918	cna	CWE-918: Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.8	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

References (1)

https://github.com/TryGhost/Ghost/security/advisories/GHSA-wvp2-4qqp-4h3r https://github.com/TryGhost/Ghost/security/advisories/GHSA-wvp2-4qqp-4h3r