logo

Database

Cross-site request forgery In ghost

Description

Ghost has incomplete CSRF protections around OTC use

Impact

Incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site.

Vulnerable versions

This vulnerability is present in Ghost from v5.101.6 up to v6.19.2.

Patches

v6.19.3 contains a fix for this issue.

How to update

For self-hosters using Docker, find Docker's official Ghost image here. Updating a Docker-based Ghost instance is documented here.

If a project's Ghost is a Ghost-CLI install see the documentation on updating it to the latest version here.

For more information

If there are any questions or comments about this advisory, send an email to [email protected].

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-297842. NVD-2026-297843. OSV-2026-297844. GHSA-9m84-wc28-w8955. GCVE-2026-29784

References

1. https://github.com/TryGhost/Ghost/security/advisories/GHSA-9m84-wc28-w8952. https://github.com/TryGhost/Ghost/commit/ec065a774fa125953d2aa644a59cd8990329e0a0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.