CVE-2026-53944
MediumCVSS 5.8Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
Ghost is a Node.js content management system. From versions 6.0.9 to 6.21.1, it is possible to bypass the IP filter when making an external request, allowing it to target an internal service using an IPv6 literal that maps to a private IPv4 address.
Risk Assessment
Bypassing the IP filter may lead to unauthorized access to internal services, posing a significant security risk to the organization.
Recommendation
It is recommended to update Ghost to version 6.21.1 or later to mitigate this vulnerability.
Original NVD description (English source)
Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.

