CVE-2026-53946

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-53946

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53946.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-53946

Aliases

GHSA-g366-23fw-ggp6

Published

2026-06-24T18:08:44.602Z

Modified

2026-06-25T04:03:55.190776561Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Ghost: Mobiledoc image-size fetch SSRF

Details

Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, when re-rendering posts, Ghost would refetch missing image dimensions by issuing an outbound HTTP request to the URL stored on an image card — without restricting that URL to trusted image hosts. An authenticated staff user able to create or edit posts could therefore point an image card at an attacker-chosen host and cause the Ghost server to request it on their behalf, including hosts on internal networks or cloud instance metadata endpoints that would not normally be reachable from the public internet. This vulnerability is fixed in 6.21.1.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53946.json",
    "cwe_ids": [
        "CWE-918"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/tryghost/ghost

Affected ranges

Type

GIT

Repo

https://github.com/tryghost/ghost

Events

Introduced

59399d8850befd5095ae1149e31f375cac9f0514

Fixed

1d36c589d39f979327106bbcfb4cece7abaea502

Database specific

{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "6.19.4"
        },
        {
            "fixed": "6.21.1"
        }
    ]
}

Affected versions

v6.*

v6.19.4

v6.20.0

v6.20.1

v6.21.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53946.json"