Security: TryGhost/Ghost
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Paid gift memberships obtainable at minimal cost via the donations featureGHSA-xm43-3m56-w3wf published
Jun 23, 2026 by lsingerModerate -
Cache-poisoning XSS in Ghost frontend via x-ghost-preview headerGHSA-62q6-4hv4-vjrw published
May 28, 2026 by lsingerCritical -
Server-side request forgery via DNS rebinding in external request handlingGHSA-ch52-px8q-f22j published
Jun 10, 2026 by lsingerModerate -
Private IP filtering bypass to make server-side requests to internal servicesGHSA-wvp2-4qqp-4h3r published
Jun 10, 2026 by lsingerModerate -
Mobiledoc image-size fetch SSRFGHSA-g366-23fw-ggp6 published
Jun 10, 2026 by lsingerModerate -
Member existence leak via magic link sign-in responseGHSA-chgm-3698-jm42 published
Jun 10, 2026 by lsingerModerate -
File Upload Content-Type SpoofingGHSA-944x-pm95-3jpr published
Jun 10, 2026 by lsingerModerate -
Ghost Content API filter bypass reveals private fieldsGHSA-jx35-x7fj-vgpr published
Jun 10, 2026 by lsingerModerate -
XSS in Ghost's ActivityPub clientGHSA-xpp7-93x6-v29m published
Jun 10, 2026 by lsingerHigh -
Incomplete CSRF protections around OTC useGHSA-9m84-wc28-w895 published
Mar 4, 2026 by lsingerHigh