CVE-2026-53944

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-53944

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53944.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-53944

Aliases

GHSA-wvp2-4qqp-4h3r

Published

2026-06-24T18:10:30.985Z

Modified

2026-06-25T04:03:56.591283345Z

Severity

5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS Calculator

Summary

Ghost: Private IP filtering bypass to make server-side requests to internal services

Details

Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53944.json",
    "cwe_ids": [
        "CWE-184",
        "CWE-918"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/tryghost/ghost

Affected ranges

Type

GIT

Repo

https://github.com/tryghost/ghost

Events

Introduced

c076dcc64d4af99dca0ecc380d5f4df04fc2a0fd

Fixed

1d36c589d39f979327106bbcfb4cece7abaea502

Database specific

{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "6.0.9"
        },
        {
            "fixed": "6.21.1"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53944.json"