CVE-2026-53947

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-53947

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53947.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-53947

Aliases

GHSA-chgm-3698-jm42

Published

2026-06-24T18:07:42.965Z

Modified

2026-06-26T03:55:07.186341855Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Ghost: Member existence leak via magic link sign-in response

Details

Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is fixed in 6.21.1.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53947.json",
    "cwe_ids": [
        "CWE-204"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/tryghost/ghost

Affected ranges

Type

GIT

Repo

https://github.com/tryghost/ghost

Events

Introduced

b5fd02c9e8839f148713972fb9b87e47fa0a9351

Fixed

1d36c589d39f979327106bbcfb4cece7abaea502

Database specific

{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "5.18.0"
        },
        {
            "fixed": "6.21.1"
        }
    ]
}

Affected versions

@tryghost/admin-x-settings@0.*

@tryghost/admin-x-settings@0.0.2

@tryghost/admin-x-settings@0.0.3

@tryghost/admin-x-settings@0.0.4

@tryghost/admin-x-settings@0.0.5

@tryghost/admin-x-settings@0.0.6

@tryghost/admin-x-settings@0.0.7

@tryghost/admin-x-settings@0.0.8

@tryghost/announcement-bar@1.*

@tryghost/announcement-bar@1.1.6

@tryghost/announcement-bar@1.1.7

@tryghost/comments-ui@0.*

@tryghost/comments-ui@0.13.0

@tryghost/portal@2.*

@tryghost/portal@2.16.0

@tryghost/portal@2.17.0

@tryghost/portal@2.18.0

@tryghost/portal@2.19.3

@tryghost/portal@2.19.5

@tryghost/portal@2.19.6

@tryghost/portal@2.19.7

@tryghost/portal@2.19.8

@tryghost/portal@2.19.9

@tryghost/portal@2.20.0

@tryghost/portal@2.20.1

@tryghost/portal@2.20.2

@tryghost/portal@2.20.3

@tryghost/portal@2.21.0

@tryghost/portal@2.22.0

@tryghost/portal@2.23.0

@tryghost/portal@2.24.0

@tryghost/portal@2.24.1

@tryghost/portal@2.25.0

@tryghost/portal@2.26.0

@tryghost/portal@2.27.0

@tryghost/portal@2.28.0

@tryghost/portal@2.28.1

@tryghost/portal@2.29.0

@tryghost/portal@2.29.1

@tryghost/portal@2.29.2

@tryghost/portal@2.29.3

@tryghost/portal@2.30.0

@tryghost/portal@2.30.1

@tryghost/portal@2.31.0

@tryghost/portal@2.31.1

@tryghost/portal@2.31.2

@tryghost/portal@2.32.0

@tryghost/portal@2.33.0

@tryghost/portal@2.33.1

@tryghost/portal@2.33.2

@tryghost/portal@2.33.3

@tryghost/portal@2.33.4

@tryghost/portal@2.36.5

@tryghost/portal@2.37.0

@tryghost/signup-form@0.*

@tryghost/signup-form@0.0.1

@tryghost/signup-form@0.0.3

@tryghost/signup-form@0.1.0

@tryghost/signup-form@0.1.1

@tryghost/signup-form@0.1.2

@tryghost/signup-form@0.1.3

v5.*

v5.100.0

v5.101.0

v5.101.4

v5.101.6

v5.102.0

v5.103.0

v5.104.0

v5.105.0

v5.106.0

v5.106.1

v5.107.0

v5.108.0

v5.108.1

v5.109.0

v5.109.3

v5.109.6

v5.110.0

v5.110.2

v5.111.0

v5.112.0

v5.113.0

v5.114.0

v5.115.1

v5.116.0

v5.116.2

v5.117.0

v5.118.0

v5.118.1

v5.119.0

v5.119.2

v5.120.0

v5.120.2

v5.121.0

v5.122.0

v5.125.1

v5.126.0

v5.127.0

v5.127.1

v5.128.0

v5.129.0

v5.129.1

v5.129.2

v5.130.0

v5.130.1

v5.18.0

v5.19.0

v5.20.0

v5.21.0

v5.22.10

v5.22.6

v5.23.0

v5.24.0

v5.25.0

v5.25.3

v5.25.5

v5.26.0

v5.26.1

v5.26.2

v5.26.3

v5.26.4

v5.27.0

v5.28.0

v5.30.0

v5.30.1

v5.31.0

v5.33.0

v5.34.0

v5.35.0

v5.36.0

v5.37.0

v5.38.0

v5.39.0

v5.40.0

v5.40.1

v5.41.0

v5.42.0

v5.42.2

v5.43.0

v5.44.0

v5.45.0

v5.45.1

v5.46.0

v5.47.0

v5.47.1

v5.48.0

v5.49.1

v5.49.3

v5.51.0

v5.52.0

v5.53.0

v5.53.1

v5.53.3

v5.54.0

v5.54.1

v5.54.2

v5.55.0

v5.56.0

v5.57.0

v5.58.0

v5.59.0

v5.59.2

v5.60.0

v5.61.0

v5.62.0

v5.63.0

v5.65.0

v5.66.0

v5.67.0

v5.67.1

v5.68.0

v5.69.0

v5.69.1

v5.70.0

v5.70.1

v5.71.0

v5.72.0

v5.73.0

v5.73.1

v5.74.0

v5.74.4

v5.75.0

v5.76.0

v5.77.0

v5.78.0

v5.79.0

v5.79.1

v5.79.2

v5.79.3

v5.79.5

v5.80.0

v5.80.2

v5.80.3

v5.80.4

v5.81.0

v5.81.1

v5.82.0

v5.82.1

v5.82.11

v5.82.12

v5.82.2

v5.82.3

v5.82.4

v5.82.6

v5.82.9

v5.83.0

v5.84.0

v5.84.1

v5.84.2

v5.85.0

v5.85.1

v5.86.0

v5.86.1

v5.86.2

v5.87.0

v5.87.1

v5.87.2

v5.88.0

v5.88.1

v5.88.2

v5.89.0

v5.89.1

v5.89.2

v5.90.0

v5.91.0

v5.92.0

v5.93.0

v5.94.0

v5.94.1

v5.94.2

v5.95.0

v5.96.0

v5.96.1

v5.97.0

v5.98.0

v5.99.0

v6.*

v6.0.0

v6.0.0-alpha.2

v6.0.0-rc.0

v6.0.0-rc.1

v6.0.0-rc.2

v6.0.0-rc.3

v6.0.1

v6.0.10

v6.0.3

v6.0.4

v6.0.5

v6.0.6

v6.0.7

v6.0.8

v6.1.0

v6.10.0

v6.10.3

v6.11.0

v6.12.0

v6.13.0

v6.13.1

v6.13.2

v6.14.0

v6.15.0

v6.16.0

v6.16.1

v6.17.0

v6.17.1

v6.18.0

v6.18.2

v6.19.0

v6.19.1

v6.19.2

v6.19.3

v6.19.4

v6.2.0

v6.20.0

v6.20.1

v6.21.0

v6.3.0

v6.3.1

v6.4.0

v6.5.0

v6.5.2

v6.5.3

v6.6.0

v6.7.0

v6.8.0

v6.8.1

v6.9.0

v6.9.2

v6.9.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53947.json"