CVE-2026-53946: CWE-918: Server-Side Request Forgery (SSRF) in TryGhost Ghost
Ghost versions from 6.19.4 up to but not including 6.21.1 contain a server-side request forgery (SSRF) vulnerability. This occurs when re-rendering posts, as Ghost fetches missing image dimensions by making HTTP requests to URLs stored on image cards without restricting them to trusted hosts. An authenticated staff user with post creation or editing permissions can exploit this to make the Ghost server send requests to attacker-controlled or internal network hosts. The vulnerability is fixed in version 6.21.1.
AI Analysis
Technical Summary
Ghost, a Node.js content management system, versions >=6.19.4 and <6.21.1 are vulnerable to SSRF (CWE-918) during post re-rendering. The system fetches missing image dimensions by issuing outbound HTTP requests to URLs specified in image cards without host restrictions. An authenticated staff user able to create or edit posts can supply a malicious URL, causing the server to make requests to arbitrary hosts, including internal network or cloud metadata endpoints. This could lead to unauthorized information disclosure. The issue is resolved in Ghost 6.21.1.
Potential Impact
An authenticated staff user can cause the Ghost server to make HTTP requests to arbitrary hosts, potentially accessing internal network resources or cloud instance metadata endpoints that are not normally reachable externally. This can lead to information disclosure or internal network reconnaissance. The CVSS score is 5.4 (medium severity), reflecting limited impact due to required authentication and user privileges.
Mitigation Recommendations
Upgrade Ghost to version 6.21.1 or later, where this SSRF vulnerability is fixed. No other official remediation or temporary fixes are documented. Until patched, restrict staff user permissions to trusted users only and monitor for suspicious activity related to image card URLs.
CVE-2026-53946: CWE-918: Server-Side Request Forgery (SSRF) in TryGhost Ghost
Description
Ghost versions from 6.19.4 up to but not including 6.21.1 contain a server-side request forgery (SSRF) vulnerability. This occurs when re-rendering posts, as Ghost fetches missing image dimensions by making HTTP requests to URLs stored on image cards without restricting them to trusted hosts. An authenticated staff user with post creation or editing permissions can exploit this to make the Ghost server send requests to attacker-controlled or internal network hosts. The vulnerability is fixed in version 6.21.1.
CVSS v3.1
Score 5.4medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Ghost, a Node.js content management system, versions >=6.19.4 and <6.21.1 are vulnerable to SSRF (CWE-918) during post re-rendering. The system fetches missing image dimensions by issuing outbound HTTP requests to URLs specified in image cards without host restrictions. An authenticated staff user able to create or edit posts can supply a malicious URL, causing the server to make requests to arbitrary hosts, including internal network or cloud metadata endpoints. This could lead to unauthorized information disclosure. The issue is resolved in Ghost 6.21.1.
Potential Impact
An authenticated staff user can cause the Ghost server to make HTTP requests to arbitrary hosts, potentially accessing internal network resources or cloud instance metadata endpoints that are not normally reachable externally. This can lead to information disclosure or internal network reconnaissance. The CVSS score is 5.4 (medium severity), reflecting limited impact due to required authentication and user privileges.
Mitigation Recommendations
Upgrade Ghost to version 6.21.1 or later, where this SSRF vulnerability is fixed. No other official remediation or temporary fixes are documented. Until patched, restrict staff user permissions to trusted users only and monitor for suspicious activity related to image card URLs.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-11T15:50:01.281Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3c2387748d17fc4ff2f769
Added to database: 06/24/2026, 18:35:51 UTC
Last enriched: 06/24/2026, 18:51:20 UTC
Last updated: 06/24/2026, 18:51:20 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.