CVE-2026-53950

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-53950

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53950.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-53950

Aliases

GHSA-xpp7-93x6-v29m

Published

2026-06-24T18:04:25.695Z

Modified

2026-06-25T04:05:22.375774491Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

@tryghost/activitypub: XSS in Ghost's ActivityPub client

Details

@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53950.json",
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/tryghost/ghost

Affected ranges

Type

GIT

Repo

https://github.com/tryghost/ghost

Events

Introduced

Fixed

3832352c5ac17546e826ddf709b6cdc5f4c3182e

Database specific

{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.1.0"
        }
    ]
}

Affected versions

@tryghost/domain-events@0.*

@tryghost/domain-events@0.1.0

@tryghost/domain-events@0.1.1

@tryghost/domain-events@0.1.2

@tryghost/domain-events@0.1.3

@tryghost/domain-events@0.1.4

@tryghost/express-dynamic-redirects@0.*

@tryghost/express-dynamic-redirects@0.1.0

@tryghost/express-dynamic-redirects@0.2.0

@tryghost/express-dynamic-redirects@0.2.1

@tryghost/express-dynamic-redirects@0.2.2

@tryghost/express-dynamic-redirects@0.2.3

@tryghost/magic-link@0.*

@tryghost/magic-link@0.1.0

@tryghost/magic-link@0.1.1

@tryghost/magic-link@0.1.2

@tryghost/magic-link@0.1.3

@tryghost/magic-link@0.1.4

@tryghost/magic-link@0.2.0

@tryghost/magic-link@0.2.1

@tryghost/magic-link@0.2.2

@tryghost/magic-link@0.3.0

@tryghost/magic-link@0.3.1

@tryghost/magic-link@0.3.2

@tryghost/magic-link@0.3.3

@tryghost/magic-link@0.4.0

@tryghost/magic-link@0.4.1

@tryghost/magic-link@0.4.10

@tryghost/magic-link@0.4.11

@tryghost/magic-link@0.4.12

@tryghost/magic-link@0.4.13

@tryghost/magic-link@0.4.2

@tryghost/magic-link@0.4.3

@tryghost/magic-link@0.4.4

@tryghost/magic-link@0.4.5

@tryghost/magic-link@0.4.6

@tryghost/magic-link@0.4.7

@tryghost/magic-link@0.4.8

@tryghost/magic-link@0.4.9

@tryghost/magic-link@0.5.0

@tryghost/magic-link@0.6.0

@tryghost/magic-link@0.6.1

@tryghost/magic-link@0.6.2

@tryghost/magic-link@0.6.3

@tryghost/magic-link@0.6.4

@tryghost/magic-link@0.6.5

@tryghost/magic-link@0.6.6

@tryghost/magic-link@0.6.7

@tryghost/magic-link@1.*

@tryghost/magic-link@1.0.0

@tryghost/magic-link@1.0.1

@tryghost/magic-link@1.0.10

@tryghost/magic-link@1.0.11

@tryghost/magic-link@1.0.12

@tryghost/magic-link@1.0.13

@tryghost/magic-link@1.0.14

@tryghost/magic-link@1.0.15

@tryghost/magic-link@1.0.2

@tryghost/magic-link@1.0.3

@tryghost/magic-link@1.0.4

@tryghost/magic-link@1.0.5

@tryghost/magic-link@1.0.6

@tryghost/magic-link@1.0.7

@tryghost/magic-link@1.0.8

@tryghost/magic-link@1.0.9

@tryghost/member-analytics-service@0.*

@tryghost/member-analytics-service@0.1.0

@tryghost/member-analytics-service@0.1.1

@tryghost/member-analytics-service@0.1.2

@tryghost/member-analytics-service@0.1.3

@tryghost/member-analytics-service@0.1.4

@tryghost/member-analytics-service@0.1.5

@tryghost/member-events@0.*

@tryghost/member-events@0.1.0

@tryghost/member-events@0.2.0

@tryghost/member-events@0.2.1

@tryghost/member-events@0.3.0

@tryghost/member-events@0.3.1

@tryghost/member-events@0.3.2

@tryghost/members-analytics-ingress@0.*

@tryghost/members-analytics-ingress@0.1.0

@tryghost/members-analytics-ingress@0.1.1

@tryghost/members-analytics-ingress@0.1.2

@tryghost/members-analytics-ingress@0.1.3

@tryghost/members-analytics-ingress@0.1.4

@tryghost/members-analytics-ingress@0.1.5

@tryghost/members-analytics-ingress@0.1.6

@tryghost/members-api@0.*

@tryghost/members-api@0.1.1

@tryghost/members-api@0.1.2

@tryghost/members-api@0.10.1

@tryghost/members-api@0.10.2

@tryghost/members-api@0.11.0

@tryghost/members-api@0.11.1

@tryghost/members-api@0.11.2

@tryghost/members-api@0.11.3

@tryghost/members-api@0.11.4

@tryghost/members-api@0.12.0

@tryghost/members-api@0.13.0

@tryghost/members-api@0.14.0

@tryghost/members-api@0.14.1

@tryghost/members-api@0.14.2

@tryghost/members-api@0.15.0

@tryghost/members-api@0.15.1

@tryghost/members-api@0.16.0

@tryghost/members-api@0.16.1

@tryghost/members-api@0.16.2

@tryghost/members-api@0.17.0

@tryghost/members-api@0.18.0

@tryghost/members-api@0.18.1

@tryghost/members-api@0.18.2

@tryghost/members-api@0.18.3

@tryghost/members-api@0.18.4

@tryghost/members-api@0.18.5

@tryghost/members-api@0.18.7

@tryghost/members-api@0.19.0

@tryghost/members-api@0.2.0

@tryghost/members-api@0.20.0

@tryghost/members-api@0.20.1

@tryghost/members-api@0.21.0

@tryghost/members-api@0.22.0

@tryghost/members-api@0.23.0

@tryghost/members-api@0.23.1

@tryghost/members-api@0.23.2

@tryghost/members-api@0.24.0

@tryghost/members-api@0.24.1

@tryghost/members-api@0.24.2

@tryghost/members-api@0.24.3

@tryghost/members-api@0.24.4

@tryghost/members-api@0.24.5

@tryghost/members-api@0.25.0

@tryghost/members-api@0.25.1

@tryghost/members-api@0.25.2

@tryghost/members-api@0.26.0

@tryghost/members-api@0.27.0

@tryghost/members-api@0.27.1

@tryghost/members-api@0.27.2

@tryghost/members-api@0.28.0

@tryghost/members-api@0.28.1

@tryghost/members-api@0.28.2

@tryghost/members-api@0.28.3

@tryghost/members-api@0.29.0

@tryghost/members-api@0.3.0

@tryghost/members-api@0.30.0

@tryghost/members-api@0.30.1

@tryghost/members-api@0.31.0

@tryghost/members-api@0.32.0

@tryghost/members-api@0.33.0

@tryghost/members-api@0.33.1

@tryghost/members-api@0.33.2

@tryghost/members-api@0.33.3

@tryghost/members-api@0.34.0

@tryghost/members-api@0.34.1

@tryghost/members-api@0.34.2

@tryghost/members-api@0.35.0

@tryghost/members-api@0.36.0

@tryghost/members-api@0.37.0

@tryghost/members-api@0.37.1

@tryghost/members-api@0.37.10

@tryghost/members-api@0.37.11

@tryghost/members-api@0.37.2

@tryghost/members-api@0.37.3

@tryghost/members-api@0.37.4

@tryghost/members-api@0.37.5

@tryghost/members-api@0.37.6

@tryghost/members-api@0.37.7

@tryghost/members-api@0.37.8

@tryghost/members-api@0.37.9

@tryghost/members-api@0.4.0

@tryghost/members-api@0.4.1

@tryghost/members-api@0.5.0

@tryghost/members-api@0.5.1

@tryghost/members-api@0.5.2

@tryghost/members-api@0.5.3

@tryghost/members-api@0.6.0

@tryghost/members-api@0.6.1

@tryghost/members-api@0.6.2

@tryghost/members-api@0.7.0

@tryghost/members-api@0.7.1

@tryghost/members-api@0.7.2

@tryghost/members-api@0.7.3

@tryghost/members-api@0.7.4

@tryghost/members-api@0.7.5

@tryghost/members-api@0.7.6

@tryghost/members-api@0.7.7

@tryghost/members-api@0.8.0

@tryghost/members-api@0.8.1

@tryghost/members-api@0.8.2

@tryghost/members-api@0.8.3

@tryghost/members-api@0.9.0

@tryghost/members-api@1.*

@tryghost/members-api@1.0.0

@tryghost/members-api@1.0.0-rc.4

@tryghost/members-api@1.0.0-rc.5

@tryghost/members-api@1.1.0

@tryghost/members-api@1.1.1

@tryghost/members-api@1.10.0

@tryghost/members-api@1.11.0

@tryghost/members-api@1.11.1

@tryghost/members-api@1.12.0

@tryghost/members-api@1.13.0

@tryghost/members-api@1.13.1

@tryghost/members-api@1.14.0

@tryghost/members-api@1.15.0

@tryghost/members-api@1.16.0

@tryghost/members-api@1.17.0

@tryghost/members-api@1.18.0

@tryghost/members-api@1.18.1

@tryghost/members-api@1.19.0

@tryghost/members-api@1.2.0

@tryghost/members-api@1.20.0

@tryghost/members-api@1.20.1

@tryghost/members-api@1.20.2

@tryghost/members-api@1.20.3

@tryghost/members-api@1.21.0

@tryghost/members-api@1.22.0

@tryghost/members-api@1.22.1

@tryghost/members-api@1.23.0

@tryghost/members-api@1.23.1

@tryghost/members-api@1.23.2

@tryghost/members-api@1.23.3

@tryghost/members-api@1.24.0

@tryghost/members-api@1.24.1

@tryghost/members-api@1.25.0

@tryghost/members-api@1.25.1

@tryghost/members-api@1.25.2

@tryghost/members-api@1.26.0

@tryghost/members-api@1.27.0

@tryghost/members-api@1.27.1

@tryghost/members-api@1.27.2

@tryghost/members-api@1.27.3

@tryghost/members-api@1.28.0

@tryghost/members-api@1.29.0

@tryghost/members-api@1.29.1

@tryghost/members-api@1.29.2

@tryghost/members-api@1.29.3

@tryghost/members-api@1.3.0

@tryghost/members-api@1.3.1

@tryghost/members-api@1.3.2

@tryghost/members-api@1.31.0

@tryghost/members-api@1.32.0

@tryghost/members-api@1.32.1

@tryghost/members-api@1.33.0

@tryghost/members-api@1.34.0

@tryghost/members-api@1.35.0

@tryghost/members-api@1.36.0

@tryghost/members-api@1.37.0

@tryghost/members-api@1.37.1

@tryghost/members-api@1.37.2

@tryghost/members-api@1.37.3

@tryghost/members-api@1.37.4

@tryghost/members-api@1.37.5

@tryghost/members-api@1.38.0

@tryghost/members-api@1.38.1

@tryghost/members-api@1.39.0

@tryghost/members-api@1.39.1

@tryghost/members-api@1.4.0

@tryghost/members-api@1.5.0

@tryghost/members-api@1.6.0

@tryghost/members-api@1.6.1

@tryghost/members-api@1.7.0

@tryghost/members-api@1.8.0

@tryghost/members-api@1.9.0

@tryghost/members-api@2.*

@tryghost/members-api@2.0.0

@tryghost/members-api@2.1.0

@tryghost/members-api@2.1.1

@tryghost/members-api@2.2.0

@tryghost/members-api@2.2.1

@tryghost/members-api@2.2.2

@tryghost/members-api@2.2.3

@tryghost/members-api@2.3.0

@tryghost/members-api@2.4.0

@tryghost/members-api@2.4.1

@tryghost/members-api@2.4.2

@tryghost/members-api@2.4.3

@tryghost/members-api@2.4.4

@tryghost/members-api@2.5.0

@tryghost/members-api@2.6.0

@tryghost/members-api@2.6.1

@tryghost/members-api@2.6.2

@tryghost/members-api@2.7.0

@tryghost/members-api@2.7.1

@tryghost/members-api@2.7.2

@tryghost/members-api@2.7.3

@tryghost/members-api@2.7.4

@tryghost/members-api@2.7.5

@tryghost/members-api@2.7.6

@tryghost/members-api@2.8.0

@tryghost/members-api@2.8.1

@tryghost/members-api@2.8.2

@tryghost/members-api@2.8.3

@tryghost/members-api@2.8.4

@tryghost/members-api@2.8.5

@tryghost/members-api@2.8.6

@tryghost/members-api@2.8.7

@tryghost/members-api@2.8.8

@tryghost/members-api@3.*

@tryghost/members-api@3.0.0

@tryghost/members-api@3.0.1

@tryghost/members-auth-pages@0.*

@tryghost/members-auth-pages@0.1.2

@tryghost/members-auth-pages@0.2.0

@tryghost/members-auth-pages@0.2.1

@tryghost/members-auth-pages@0.2.2

@tryghost/members-auth-pages@1.*

@tryghost/members-auth-pages@1.0.0

@tryghost/members-auth-pages@1.1.0

@tryghost/members-auth-pages@1.1.1

@tryghost/members-auth-pages@1.1.2

@tryghost/members-auth-pages@1.1.3

@tryghost/members-browser-auth@0.*

@tryghost/members-browser-auth@0.1.0

@tryghost/members-browser-auth@0.1.1

@tryghost/members-browser-auth@0.1.2

@tryghost/members-browser-auth@0.1.3

@tryghost/members-browser-auth@0.2.0

@tryghost/members-browser-auth@0.2.1

@tryghost/members-browser-auth@0.2.2

@tryghost/members-browser-auth@0.2.3

@tryghost/members-csv@0.*

@tryghost/members-csv@0.1.0

@tryghost/members-csv@0.1.1

@tryghost/members-csv@0.1.2

@tryghost/members-csv@0.2.0

@tryghost/members-csv@0.2.1

@tryghost/members-csv@0.3.0

@tryghost/members-csv@0.3.1

@tryghost/members-csv@0.3.2

@tryghost/members-csv@0.3.3

@tryghost/members-csv@0.4.0

@tryghost/members-csv@0.4.1

@tryghost/members-csv@0.4.2

@tryghost/members-csv@0.4.3

@tryghost/members-csv@0.4.4

@tryghost/members-csv@0.4.5

@tryghost/members-csv@1.*

@tryghost/members-csv@1.0.0

@tryghost/members-csv@1.0.0-rc.2

@tryghost/members-csv@1.0.1

@tryghost/members-csv@1.1.0

@tryghost/members-csv@1.1.1

@tryghost/members-csv@1.1.2

@tryghost/members-csv@1.1.3

@tryghost/members-csv@1.1.4

@tryghost/members-csv@1.1.5

@tryghost/members-csv@1.1.6

@tryghost/members-csv@1.1.7

@tryghost/members-csv@1.1.8

@tryghost/members-csv@1.2.0

@tryghost/members-csv@1.2.1

@tryghost/members-csv@1.2.2

@tryghost/members-gateway-api@0.*

@tryghost/members-gateway-api@0.1.0

@tryghost/members-gateway-api@0.1.1

@tryghost/members-gateway-api@0.1.2

@tryghost/members-gateway-api@0.1.3

@tryghost/members-gateway-api@0.1.4

@tryghost/members-gateway-api@0.1.5

@tryghost/members-gateway-api@0.1.6

@tryghost/members-gateway-api@0.1.7

@tryghost/members-gateway-protocol@0.*

@tryghost/members-gateway-protocol@0.1.0

@tryghost/members-gateway-protocol@0.1.1

@tryghost/members-gateway-protocol@0.1.2

@tryghost/members-gateway-protocol@0.1.3

@tryghost/members-gateway-protocol@0.1.4

@tryghost/members-importer@0.*

@tryghost/members-importer@0.1.0

@tryghost/members-importer@0.1.1

@tryghost/members-importer@0.1.2

@tryghost/members-importer@0.2.0

@tryghost/members-importer@0.3.0

@tryghost/members-importer@0.3.1

@tryghost/members-importer@0.3.2

@tryghost/members-importer@0.3.3

@tryghost/members-importer@0.3.4

@tryghost/members-importer@0.3.5

@tryghost/members-importer@0.3.6

@tryghost/members-importer@0.3.7

@tryghost/members-offers@0.*

@tryghost/members-offers@0.1.0

@tryghost/members-offers@0.1.1

@tryghost/members-offers@0.1.2

@tryghost/members-offers@0.10.0

@tryghost/members-offers@0.10.1

@tryghost/members-offers@0.10.2

@tryghost/members-offers@0.10.3

@tryghost/members-offers@0.10.4

@tryghost/members-offers@0.2.0

@tryghost/members-offers@0.2.1

@tryghost/members-offers@0.3.0

@tryghost/members-offers@0.3.1

@tryghost/members-offers@0.3.2

@tryghost/members-offers@0.3.3

@tryghost/members-offers@0.3.4

@tryghost/members-offers@0.3.5

@tryghost/members-offers@0.4.0

@tryghost/members-offers@0.4.1

@tryghost/members-offers@0.4.2

@tryghost/members-offers@0.5.0

@tryghost/members-offers@0.6.0

@tryghost/members-offers@0.6.1

@tryghost/members-offers@0.6.2

@tryghost/members-offers@0.7.0

@tryghost/members-offers@0.7.1

@tryghost/members-offers@0.7.2

@tryghost/members-offers@0.8.0

@tryghost/members-offers@0.9.0

@tryghost/members-payments@0.*

@tryghost/members-payments@0.1.0

@tryghost/members-payments@0.1.1

@tryghost/members-payments@0.1.2

@tryghost/members-payments@0.1.3

@tryghost/members-payments@0.1.4

@tryghost/members-payments@0.1.5

@tryghost/members-payments@0.1.6

@tryghost/members-ssr@0.*

@tryghost/members-ssr@0.1.0

@tryghost/members-ssr@0.1.1

@tryghost/members-ssr@0.1.3

@tryghost/members-ssr@0.1.4

@tryghost/members-ssr@0.1.5

@tryghost/members-ssr@0.2.0

@tryghost/members-ssr@0.2.1

@tryghost/members-ssr@0.3.0

@tryghost/members-ssr@0.3.1

@tryghost/members-ssr@0.4.0

@tryghost/members-ssr@0.5.0

@tryghost/members-ssr@0.5.1

@tryghost/members-ssr@0.5.2

@tryghost/members-ssr@0.6.0

@tryghost/members-ssr@0.7.0

@tryghost/members-ssr@0.7.1

@tryghost/members-ssr@0.7.10

@tryghost/members-ssr@0.7.2

@tryghost/members-ssr@0.7.3

@tryghost/members-ssr@0.7.4

@tryghost/members-ssr@0.7.5

@tryghost/members-ssr@0.7.6

@tryghost/members-ssr@0.7.7

@tryghost/members-ssr@0.7.8

@tryghost/members-ssr@0.7.9

@tryghost/members-ssr@0.8.0

@tryghost/members-ssr@0.8.1

@tryghost/members-ssr@0.8.10

@tryghost/members-ssr@0.8.11

@tryghost/members-ssr@0.8.2

@tryghost/members-ssr@0.8.3

@tryghost/members-ssr@0.8.4

@tryghost/members-ssr@0.8.5

@tryghost/members-ssr@0.8.6

@tryghost/members-ssr@0.8.7

@tryghost/members-ssr@0.8.8

@tryghost/members-ssr@0.8.9

@tryghost/members-ssr@1.*

@tryghost/members-ssr@1.0.0

@tryghost/members-ssr@1.0.1

@tryghost/members-ssr@1.0.10

@tryghost/members-ssr@1.0.11

@tryghost/members-ssr@1.0.12

@tryghost/members-ssr@1.0.13

@tryghost/members-ssr@1.0.14

@tryghost/members-ssr@1.0.15

@tryghost/members-ssr@1.0.16

@tryghost/members-ssr@1.0.17

@tryghost/members-ssr@1.0.2

@tryghost/members-ssr@1.0.3

@tryghost/members-ssr@1.0.4

@tryghost/members-ssr@1.0.5

@tryghost/members-ssr@1.0.6

@tryghost/members-ssr@1.0.7

@tryghost/members-ssr@1.0.8

@tryghost/members-ssr@1.0.9

@tryghost/members-stripe-service@0.*

@tryghost/members-stripe-service@0.1.0

@tryghost/members-stripe-service@0.2.0

@tryghost/members-stripe-service@0.3.0

@tryghost/members-stripe-service@0.3.1

@tryghost/members-stripe-service@0.4.0

@tryghost/members-stripe-service@0.5.0

@tryghost/members-stripe-service@0.5.1

@tryghost/members-stripe-service@0.5.2

@tryghost/members-theme-bindings@0.*

@tryghost/members-theme-bindings@0.1.0

@tryghost/members-theme-bindings@0.2.0

@tryghost/members-theme-bindings@0.2.1

@tryghost/members-theme-bindings@0.2.2

@tryghost/members-theme-bindings@0.2.3

@tryghost/members-theme-bindings@0.2.4

@tryghost/members-theme-bindings@0.2.5

@tryghost/members-theme-bindings@0.2.6

@tryghost/product-repository@0.*

@tryghost/product-repository@0.1.1

@tryghost/stripe-service@0.*

@tryghost/stripe-service@0.1.0

@tryghost/substack-ghost-csv-converter@0.*

@tryghost/substack-ghost-csv-converter@0.1.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53950.json"