CVE-2026-53944: CWE-184: Incomplete List of Disallowed Inputs in TryGhost Ghost
Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.
AI Analysis
Technical Summary
CVE-2026-53944 is an incomplete input validation vulnerability in the TryGhost Ghost CMS. Specifically, the IP filtering mechanism intended to prevent external requests from reaching internal services can be bypassed by using IPv6 literals that map to private IPv4 addresses. This affects versions from 6.0.9 up to but not including 6.21.1. The vulnerability is categorized under CWE-184 (Incomplete List of Disallowed Inputs) and CWE-918 (Server-Side Request Forgery). It has a CVSS 3.1 base score of 5.8 (medium severity) with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change. The vulnerability allows integrity impact but no confidentiality or availability impact. No known exploits in the wild have been reported. The issue is fixed in version 6.21.1.
Potential Impact
An attacker can bypass the IP filtering controls in Ghost CMS to make unauthorized external requests that reach internal services by exploiting the incomplete validation of IPv6 literals mapping to private IPv4 addresses. This can lead to integrity issues, such as unauthorized actions or data manipulation within internal services. There is no reported impact on confidentiality or availability. The vulnerability does not require privileges or user interaction to exploit.
Mitigation Recommendations
A fix is available in Ghost version 6.21.1. Users should upgrade to version 6.21.1 or later to remediate this vulnerability. Since this is a self-hosted product, administrators must apply the update manually. Patch status is confirmed by the vendor advisory stating the issue is fixed in 6.21.1. No additional mitigations are specified.
CVE-2026-53944: CWE-184: Incomplete List of Disallowed Inputs in TryGhost Ghost
Description
Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.
CVSS v3.1
Score 5.8medium
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-53944 is an incomplete input validation vulnerability in the TryGhost Ghost CMS. Specifically, the IP filtering mechanism intended to prevent external requests from reaching internal services can be bypassed by using IPv6 literals that map to private IPv4 addresses. This affects versions from 6.0.9 up to but not including 6.21.1. The vulnerability is categorized under CWE-184 (Incomplete List of Disallowed Inputs) and CWE-918 (Server-Side Request Forgery). It has a CVSS 3.1 base score of 5.8 (medium severity) with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change. The vulnerability allows integrity impact but no confidentiality or availability impact. No known exploits in the wild have been reported. The issue is fixed in version 6.21.1.
Potential Impact
An attacker can bypass the IP filtering controls in Ghost CMS to make unauthorized external requests that reach internal services by exploiting the incomplete validation of IPv6 literals mapping to private IPv4 addresses. This can lead to integrity issues, such as unauthorized actions or data manipulation within internal services. There is no reported impact on confidentiality or availability. The vulnerability does not require privileges or user interaction to exploit.
Mitigation Recommendations
A fix is available in Ghost version 6.21.1. Users should upgrade to version 6.21.1 or later to remediate this vulnerability. Since this is a self-hosted product, administrators must apply the update manually. Patch status is confirmed by the vendor advisory stating the issue is fixed in 6.21.1. No additional mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-11T15:50:01.280Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3c2387748d17fc4ff2f763
Added to database: 06/24/2026, 18:35:51 UTC
Last enriched: 06/24/2026, 18:51:34 UTC
Last updated: 06/24/2026, 20:11:12 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.