pkg:Bitnami/ghost

All known vulnerabilities

• CRITICAL9.8CVE-2022-27139Arbitrary file upload in Ghost
  >= 4.39.0, < 4.39.1
• CRITICAL9.8CVE-2022-28397Arbitrary file upload in Ghost
  >= 4.42.0, < 4.42.1
• CRITICAL9.4CVE-2026-26980Ghost has a SQL Injection in its Content API
  >= 3.24.0, < 6.19.1
• CRITICAL9.1CVE-2024-34451Ghost through 5.85.1 allows remote attackers to bypass an authentication rate-limit protection mechanism by using many X-Forwarded-For head…
  from 0, < 5.110.4
• HIGH8.8CVE-2026-24778Ghost vulnerable to XSS via malicious Portal preview links
  >= 5.43.0, < 5.121.0, >= 6.0.0, < 6.15.0
• HIGH8.8CVE-2024-34448Ghost allows CSV Injection during member CSV export
  from 0, < 5.82.0
• HIGH8.5CVE-2022-41654ghost vulnerable to unauthorized newsletter modification via improper access controls
  >= 4.46.0, < 4.48.8, >= 5.0.0, < 5.22.7
• HIGH8.1CVE-2026-22595Ghost has Staff Token permission bypass
  >= 5.121.0, < 5.130.6, >= 6.0.0, < 6.11.0
• HIGH8.1CVE-2026-22594Ghost has Staff 2FA bypass
  >= 5.105.0, < 5.130.6, >= 6.0.0, < 6.11.0
• HIGH8.1CVE-2020-8134Server-side request forgery in Ghost CMS
  from 0, < 3.10.0
• HIGH7.6CVE-2026-29053Ghost Vulnerable to Remote Code Execution via Malicious Themes
  >= 0.7.2, < 6.19.1
• HIGH7.5CVE-2026-29784Ghost has incomplete CSRF protections around OTC use
  >= 5.101.6, < 6.19.3
• HIGH7.5CVE-2024-34559Insertion of Sensitive Information into Log File vulnerability in Ghost Foundation Ghost.This issue affects Ghost: from n/a through 1.4.0.
  from 0, < 1.5.0
• HIGH7.5CVE-2023-32235Path Traversal in Ghost
  from 0, < 5.42.1
• HIGH7.5CVE-2023-31133Ghost vulnerable to disclosure of private API fields
  from 0, < 5.46.1
• MEDIUM6.8CVE-2021-29484DOM XSS in Theme Preview
  >= 4.0.0, < 4.3.3
• MEDIUM6.7CVE-2026-22596Ghost has SQL Injection in Members Activity Feed
  >= 5.90.0, < 5.130.6, >= 6.0.0, < 6.11.0
• MEDIUM6.5CVE-2024-43409Ghost's improper authentication allows access to member information and actions
  >= 4.46.0, < 5.89.5
• MEDIUM6.5CVE-2024-23724Ghost has possible Cross-site Scripting issue
  from 0, < 5.82.11
• MEDIUM6.5CVE-2021-39192Privilege escalation: all users can access Admin-level API keys
  >= 4.0.0, < 4.10.0
• MEDIUM6.1CVE-2024-23725Cross-site Scripting in Ghost
  from 0, < 5.76.0
• MEDIUM5.7CVE-2023-26510Ghost 5.35.0 allows authorization bypass: contributors can view draft posts of other users, which is arguably inconsistent with a security…
  >= 5.35.0, < 5.35.1
• MEDIUM5.4CVE-2022-47194An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4.
  >= 5.9.4, < 5.9.5
• MEDIUM5.4CVE-2022-47195An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4.
  >= 5.9.4, < 5.9.5
• MEDIUM5.4CVE-2022-47196An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4.
  >= 5.9.4, < 5.9.5
• MEDIUM5.4CVE-2022-47197An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4.
  >= 5.9.4, < 5.9.5
• MEDIUM5.3CVE-2022-41697A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4.
  >= 5.9.4, < 5.9.5
• MEDIUM4.9CVE-2023-40028Arbitrary file read via symlinks in Ghost
  from 0, < 5.59.1
• —CVE-2026-22597Ghost has SSRF via External Media Inliner
  >= 5.38.0, < 5.130.6, >= 6.0.0, < 6.11.0
• —CVE-2025-9862Ghost 6.0.6 - SSRF via oEmbed Bookmark
  >= 5.99.0, < 5.130.5, >= 6.0.0, < 6.0.9