OsVault/npm/ghost

npm3 critical

ghost

25 known vulnerabilities · 3 critical · 4 high

CVE-2022-41654MEDIUM

ghost vulnerable to unauthorized newsletter modification via improper access controls

Published Nov 28, 2022

CVE-2023-32235HIGH

Path Traversal in Ghost

Published May 5, 2023

CVE-2023-31133HIGH

Ghost vulnerable to information disclosure of private API fields

Published May 3, 2023

CVE-2026-29784

Ghost has incomplete CSRF protections around OTC use

Published Mar 5, 2026

CVE-2020-8134HIGH

Server-side request forgery in Ghost CMS

Published May 6, 2021

CVE-2026-24778

Ghost vulnerable to XSS via malicious Portal preview links

Published Jan 28, 2026

CVE-2026-26980

Ghost has a SQL injection in Content API

Published Feb 18, 2026

CVE-2022-27139CRITICAL

Arbitrary file upload in Ghost

Published Apr 13, 2022

CVE-2026-22594

Ghost has Staff 2FA bypass

Published Jan 8, 2026

CVE-2021-29484MEDIUM

DOM XSS in Theme Preview

Published Apr 29, 2021

CVE-2024-23724CRITICAL

Ghost has possible Cross-site Scripting issue

Published Feb 11, 2024

CVE-2023-40028MEDIUM

Ghost vulnerable to arbitrary file read via symlinks in content import

Published Aug 15, 2023

CVE-2026-22595

Ghost has Staff Token permission bypass

Published Jan 8, 2026

CVE-2026-29053

Ghost Vulnerable to Remote Code Execution via Malicious Themes

Published Mar 3, 2026

CVE-2022-28397CRITICAL

Arbitrary file upload in Ghost

Published Apr 13, 2022

CVE-2024-23725MEDIUM

Cross-site Scripting in Ghost

Published Jan 21, 2024

CVE-2026-22596

Ghost has SQL Injection in Members Activity Feed

Published Jan 8, 2026

CVE-2025-9862

Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark

Published Sep 15, 2025

CVE-2026-22597

Ghost has SSRF via External Media Inliner

Published Jan 8, 2026

CVE-2021-39192MEDIUM

Privilege escalation: all users can access Admin-level API keys

Published Jul 22, 2021

CVE-2024-34448HIGH

Ghost allows CSV Injection during member CSV export

Published May 22, 2024

MAL-2022-3282

Malicious code in gatsby-plugin-ghost-manifest (npm)

Published Jun 20, 2022

MAL-2025-3764

Malicious code in ghosts3c (npm)

Published May 12, 2025

MAL-2025-49286

Malicious code in gunpowder-ghost (npm)

Published Oct 31, 2025

MAL-2026-2366

Malicious code in ghost-module (npm)

Published Mar 24, 2026

Check your entire dependency tree at onceRun dependency scan →