CVE-2023-32235

HIGH EXPLOITED NUCLEI

Ghost < 5.42.1 - Path Traversal via /assets/built%2F..%2F..%2F/

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-32235 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including İbrahimsql, AXRoux. A Nuclei detection template is also available.

AI-analyzed exploit summary This Python script exploits a path traversal vulnerability in Ghost CMS versions before 5.42.1 via the /assets/built/ endpoint, allowing unauthorized file disclosure. It includes multiple payloads and bypass techniques to read sensitive files like package.json, .env, and configuration files.

Description

Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.

Exploits (3)

exploitdb WORKING POC
by İbrahimsql · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52408

This Python script exploits a path traversal vulnerability in Ghost CMS versions before 5.42.1 via the /assets/built/ endpoint, allowing unauthorized file disclosure. It includes multiple payloads and bypass techniques to read sensitive files like package.json, .env, and configuration files.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Ghost CMS < 5.42.1
No auth needed
Prerequisites: Network access to the Ghost CMS instance · Ghost CMS version < 5.42.1
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 4 stars
by AXRoux · poc
https://github.com/AXRoux/Ghost-Path-Traversal-CVE-2023-32235-

This repository contains a writeup detailing a path traversal vulnerability (CVE-2023-32235) in Ghost, allowing unauthorized access to sensitive files like package.json via manipulated file paths. The PoC includes a URL pattern and a command using httpx to test for the vulnerability.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ghost (all versions up to latest at time of disclosure)
No auth needed
Prerequisites: Target running vulnerable Ghost instance · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
inthewild WRITEUP
poc
https://github.com/veexh/ghost-path-traversal-cve-2023-32235-

The repository provides a technical writeup for CVE-2023-32235, detailing a path traversal vulnerability in Ghost. It includes a PoC path and steps to reproduce using `httpx`, but lacks functional exploit code.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ghost (all versions up to latest)
No auth needed
Prerequisites: target URL list · httpx tool
devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

Ghost CMS < 5.42.1 - Path Traversal
HIGHVERIFIEDby j3ssie
Shodan: http.component:"Ghost" || http.component:"ghost"

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.9409
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

VulnCheck KEV 2023-12-04
CWE
CWE-22
Status published
Products (2)
ghost/ghost < 5.42.1
npm/ghost 0 - 5.42.1npm
Published May 05, 2023
Tracked Since Feb 18, 2026