CVE-2026-29053

HIGH

Ghost 0.7.2-6.19.0 - Code Injection

Title source: llm

Description

Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.

Exploits (2)

nomisec WORKING POC

by AC8999 · poc

https://github.com/AC8999/CVE-2026-29053

View Code ZIP pw:eip

nomisec WORKING POC

by rootxran · poc

https://github.com/rootxran/CVE-2026-29053

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://github.com/TryGhost/Ghost/security/advisories/GHSA-cgc2-rcrh-qr5x

Scores

CVSS v3 7.6

EPSS 0.0003

EPSS Percentile 7.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-74

Status published

Products (2)

ghost/ghost 0.7.2 - 6.19.1

npm/ghost 0.7.2 - 6.19.1npm

Published Mar 05, 2026

Tracked Since Mar 05, 2026