Platform
nodejs
Component
ghost
Opgelost in
5.101.7
6.19.3
CVE-2026-29784 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Ghost CMS. This flaw allows attackers to potentially exploit login sessions, increasing the risk of unauthorized access and site takeover. The vulnerability impacts versions 5.101.6 through 6.19.2 and has been resolved in version 6.19.3.
The vulnerability lies in incomplete CSRF protections surrounding the /session/verify endpoint. An attacker could craft malicious requests that, if successful, would allow them to use One-Time Codes (OTCs) within login sessions different from the one being actively used by a legitimate user. This significantly lowers the barrier for phishing attacks, as an attacker could potentially trick a user into unknowingly triggering a request that compromises their Ghost site. The blast radius extends to any Ghost site running the vulnerable versions, potentially exposing sensitive data and allowing for complete site control.
This vulnerability was publicly disclosed on March 5, 2026. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the nature of CSRF vulnerabilities, it's reasonable to assume that attackers may attempt to exploit this flaw, especially if a public exploit is released.
Ghost CMS users, particularly those running self-hosted instances and relying on OTC authentication, are at risk. Shared hosting environments where multiple Ghost sites share the same server infrastructure could also be affected, as a compromise of one site could potentially lead to lateral movement.
• nodejs / server:
ps aux | grep ghost• nodejs / server:
npm list [email protected]• generic web:
Check the X-Content-Type-Options header in response headers to ensure it's set to nosniff to mitigate some CSRF risks.
disclosure
Exploit Status
EPSS
0.02% (5% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade Ghost CMS to version 6.19.3 or later, which includes the necessary fix. For self-hosted instances using Docker, update the Ghost Docker image to the latest version. If immediate upgrading is not feasible, consider implementing stricter Content Security Policy (CSP) headers to limit the origins from which scripts can be executed. While not a complete solution, this can reduce the attack surface. Regularly review and audit your Ghost CMS configuration for any unusual activity.
Actualiseer Ghost naar versie 6.19.3 of hoger. Deze versie corrigeert de onvolledige CSRF-bescherming die het gebruik van OTCs in login sessies anders dan de aanvragende sessie mogelijk maakte. De update verzacht het risico dat aanvallers de controle over de site overnemen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-29784 is a Cross-Site Request Forgery vulnerability in Ghost CMS versions 5.101.6 to 6.19.2, allowing attackers to potentially take over login sessions.
You are affected if you are running Ghost CMS versions 5.101.6 through 6.19.2. Upgrade to 6.19.3 or later to resolve the issue.
Upgrade Ghost CMS to version 6.19.3 or later. For Docker users, update the Ghost Docker image. Consider implementing stricter CSP headers as a temporary measure.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the official Ghost blog and security advisories for the latest information: https://ghost.org/security/
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.