CVE-2026-53950
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
The ActivityPub client in the Ghost application was vulnerable to JavaScript injection on posts shared by a maliciously customized ActivityPub server prior to version 3.1.0. This vulnerability has been fixed in version 3.1.0.
Risk Assessment
A malicious ActivityPub server could inject malicious JavaScript code into posts, potentially leading to serious security threats for users and data.
Recommendation
It is recommended to upgrade to version 3.1.0 or later to eliminate this vulnerability.
Original NVD description (English source)
@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0.

