Ghost: Server-side request forgery via DNS rebinding in external request handling
Summary
| CVE | CVE-2026-53945 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 19:17:12 UTC |
| Updated | 2026-06-24 19:17:12 UTC |
| Description | Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks through features that issue external fetches. This vulnerability is fixed in 6.21.1. |
Risk And Classification
Primary CVSS: v3.1 4 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
Problem Types: CWE-367 | CWE-918 | CWE-367 CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition | CWE-918 CWE-918: Server-Side Request Forgery (SSRF)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 4 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N |
| 3.1 | CNA | DECLARED | 4 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
ChangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/TryGhost/Ghost/security/advisories/GHSA-ch52-px8q-f22j | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.