Description
An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary code via a crafted SVG file. NOTE: Vendor states that as outlined in Ghost's security documentation, upload of SVGs is only possible by trusted authenticated users. The uploading of SVG files to Ghost does not represent a remote code execution vulnerability. SVGs are not executable on the server, and may only execute javascript in a client's browser - this is expected and intentional functionality
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://youtu.be/FCqWEvir2wE
Various Sources x_refsource_misc
http://ghost.org/docs/security/#privilege-escalation-attacks
Scores
CVSS v3
9.8
EPSS
0.0606
EPSS Percentile
90.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (2)
ghost/ghost
4.39.0
npm/ghost
0npm
Published
Apr 12, 2022
Tracked Since
Feb 18, 2026