24 Total advisories
24 Vulnerabilities
0 Malware
Vulnerabilities
CRITICAL 9.4
CVE-2026-26980
Ghost has a SQL injection in Content API
MEDIUM 6.5
CVE-2021-39192
Privilege escalation: all users can access Admin-level API keys
HIGH 8.5
CVE-2022-41654
ghost vulnerable to unauthorized newsletter modification via improper access controls
MEDIUM 6.8
CVE-2021-29484
DOM XSS in Theme Preview
HIGH 7.5
CVE-2026-29784
Ghost has incomplete CSRF protections around OTC use
HIGH 7.6
CVE-2026-29053
Ghost Vulnerable to Remote Code Execution via Malicious Themes
HIGH 8.8
CVE-2026-24778
Ghost vulnerable to XSS via malicious Portal preview links
HIGH 8.1
CVE-2026-22595
Ghost has Staff Token permission bypass
MEDIUM 6.7
CVE-2026-22596
Ghost has SQL Injection in Members Activity Feed
UNKNOWN
CVE-2026-22597
Ghost has SSRF via External Media Inliner
HIGH 8.1
CVE-2026-22594
Ghost has Staff 2FA bypass
UNKNOWN
CVE-2025-9862
Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark
MEDIUM 6.5
CVE-2024-43409
Ghost's improper authentication allows access to member information and actions
MEDIUM 6.5
CVE-2024-23724
Ghost has possible Cross-site Scripting issue
CRITICAL 9.8
CVE-2022-28397
Arbitrary file upload in Ghost
MEDIUM 6.1
CVE-2024-23725
Cross-site Scripting in Ghost
MEDIUM 4.9
CVE-2023-40028
Ghost vulnerable to arbitrary file read via symlinks in content import
HIGH 7.5
CVE-2023-32235
Path Traversal in Ghost
HIGH 7.5
CVE-2023-31133
Ghost vulnerable to information disclosure of private API fields
CRITICAL 9.8
CVE-2022-27139
Arbitrary file upload in Ghost
HIGH 8.1
CVE-2020-8134
Server-side request forgery in Ghost CMS
MEDIUM 6.6
GHSA-7v28-g2pq-ggg8
Ghost vulnerable to remote code execution in locale setting change
MEDIUM 6.5
GHSA-65p7-pjj8-ggmr
Member account takeover
MEDIUM 5.8
GHSA-wfrj-qqc2-83cm
Remote command injection when using sendmail email transport
Ready to move
Start Securing
Free, no credit card | First findings in minutes