CVE-2026-53943: CWE-524: Use of Cache Containing Sensitive Information in TryGhost Ghost
Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared caching layer that results in cached content being shared between different visitors, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend response. In affected cache configurations, that response could be stored and served to subsequent visitors requesting the same page, allowing cache poisoning of request-specific preview output. When running Ghost's frontend and admin panel on the same domain this could be used to take over staff user accounts. When running these on different domains staff accounts have no exposure. This vulnerability is fixed in 6.37.0.
AI Analysis
Technical Summary
CVE-2026-53943 is a vulnerability in TryGhost Ghost CMS versions before 6.37.0 where use of a shared caching layer allows an unauthenticated attacker to send an x-ghost-preview header that modifies the frontend response. This response can be cached and served to other visitors, causing cache poisoning of preview content. When the frontend and admin panel share the same domain, this can escalate to staff user account takeover. The vulnerability is classified under CWE-524 (Use of Cache Containing Sensitive Information). The vulnerability has a CVSS 3.1 score of 9.6 (critical) with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and high impact on confidentiality, integrity, and availability. The issue is resolved in Ghost version 6.37.0.
Potential Impact
An attacker can poison cached frontend responses by sending a crafted x-ghost-preview header, causing sensitive preview content to be served to other users. This can lead to unauthorized disclosure of sensitive information and, when frontend and admin panel share the same domain, can result in staff account takeover. The vulnerability affects confidentiality, integrity, and availability of the system.
Mitigation Recommendations
Upgrade Ghost to version 6.37.0 or later, where this vulnerability is fixed. Until then, avoid configurations where Ghost is behind a shared caching layer that shares cached content between different visitors, or separate the frontend and admin panel domains to reduce risk. Patch status is confirmed fixed in 6.37.0.
CVE-2026-53943: CWE-524: Use of Cache Containing Sensitive Information in TryGhost Ghost
Description
Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared caching layer that results in cached content being shared between different visitors, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend response. In affected cache configurations, that response could be stored and served to subsequent visitors requesting the same page, allowing cache poisoning of request-specific preview output. When running Ghost's frontend and admin panel on the same domain this could be used to take over staff user accounts. When running these on different domains staff accounts have no exposure. This vulnerability is fixed in 6.37.0.
CVSS v3.1
Score 9.6critical
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-53943 is a vulnerability in TryGhost Ghost CMS versions before 6.37.0 where use of a shared caching layer allows an unauthenticated attacker to send an x-ghost-preview header that modifies the frontend response. This response can be cached and served to other visitors, causing cache poisoning of preview content. When the frontend and admin panel share the same domain, this can escalate to staff user account takeover. The vulnerability is classified under CWE-524 (Use of Cache Containing Sensitive Information). The vulnerability has a CVSS 3.1 score of 9.6 (critical) with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and high impact on confidentiality, integrity, and availability. The issue is resolved in Ghost version 6.37.0.
Potential Impact
An attacker can poison cached frontend responses by sending a crafted x-ghost-preview header, causing sensitive preview content to be served to other users. This can lead to unauthorized disclosure of sensitive information and, when frontend and admin panel share the same domain, can result in staff account takeover. The vulnerability affects confidentiality, integrity, and availability of the system.
Mitigation Recommendations
Upgrade Ghost to version 6.37.0 or later, where this vulnerability is fixed. Until then, avoid configurations where Ghost is behind a shared caching layer that shares cached content between different visitors, or separate the frontend and admin panel domains to reduce risk. Patch status is confirmed fixed in 6.37.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-11T15:50:01.280Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3c2387748d17fc4ff2f760
Added to database: 06/24/2026, 18:35:51 UTC
Last enriched: 06/24/2026, 18:50:34 UTC
Last updated: 06/24/2026, 19:56:53 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.