CVE Catalog

CVE-2026-53947

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

A vulnerability in the Ghost content management system (versions 5.18.0 through 6.21.1) allows an unauthenticated attacker to determine whether a given email address belongs to a registered member. The issue stems from discrepancies in responses from the members signin endpoints.

Risk Assessment

An attacker can perform account enumeration, facilitating targeted social engineering or brute-force attacks on discovered accounts.

Recommendation

Immediately update Ghost to version 6.21.1 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is fixed in 6.21.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS