CVE-2026-53948

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-53948

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53948.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-53948

Aliases

GHSA-944x-pm95-3jpr

Published

2026-06-24T18:06:30.077Z

Modified

2026-06-26T11:56:02.709018041Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Ghost: File Upload Content-Type Spoofing

Details

Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage backends. On installations that serve uploaded files from the same origin as the site, this could have been used to facilitate stored cross-site scripting against site visitors or staff. This vulnerability is fixed in 6.21.1.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53948.json",
    "cwe_ids": [
        "CWE-434"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/tryghost/ghost

Affected ranges

Type

GIT

Repo

https://github.com/tryghost/ghost

Events

Introduced

59399d8850befd5095ae1149e31f375cac9f0514

Fixed

1d36c589d39f979327106bbcfb4cece7abaea502

Database specific

{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "6.19.4"
        },
        {
            "fixed": "6.21.1"
        }
    ]
}

Affected versions

v6.*

v6.19.4

v6.20.0

v6.20.1

v6.21.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53948.json"