CVE Catalog

CVE-2026-53945

MediumCVSS 4.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile — higher than 4% of all known CVEs

Summary

Ghost is a Node.js content management system. From versions 6.0.9 to 6.21.1, the private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks.

Risk Assessment

This vulnerability may lead to unauthorized access to internal organizational resources, posing a serious threat to data security.

Recommendation

It is recommended to update Ghost to version 6.21.1 or later to mitigate this vulnerability.

Original NVD description (English source)

Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks through features that issue external fetches. This vulnerability is fixed in 6.21.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS