CVE-2026-53945 | Ghost is a Node.js content management system. From 6.0.9 unt… | CVSS 4.0 MEDIUM

Description

Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks through features that issue external fetches. This vulnerability is fixed in 6.21.1.

Metadata

CVE ID: CVE-2026-53945
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-11 15:50 UTC
Published: 2026-06-24 18:09 UTC
Last updated: 2026-06-25 15:38 UTC
Primary CWE: CWE-367
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
Vendor / Product: TryGhost / Ghost
Sources: cve.org · NVD

Severity & Metrics

4.0 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
TryGhost	Ghost	—	>= 6.0.9, < 6.21.1

Weakness (CWE)

CWE	Source	Description
CWE-367	cna	CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-918	cna	CWE-918: Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
4.0	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

References (1)

https://github.com/TryGhost/Ghost/security/advisories/GHSA-ch52-px8q-f22j https://github.com/TryGhost/Ghost/security/advisories/GHSA-ch52-px8q-f22j