Cross-Site Scripting Vulnerability in Ghost Node.js CMS by TryGhost
CVE-2026-53948

5.4MEDIUM

Key Information:

Vendor: Tryghost
Status: Ghost
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-53948?

In the Ghost content management system versions 6.19.4 to 6.21.1, insufficient validation of the client-supplied Content-Type on the Admin API file upload endpoint allows attackers to exploit this flaw. As a result, uploaded files may be served with an attacker-defined content type, especially when using S3/GCS storage backends. This vulnerability can potentially enable stored cross-site scripting attacks against site visitors or staff, posing significant security risks. The issue has been resolved in version 6.21.1.

Affected Version(s)

Ghost >= 6.19.4, < 6.21.1

References

https://github.com/TryGhost/Ghost/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Jun 11, 2026

CVE-2026-53948 Data

JSON

Tryghost

What is CVE-2026-53948?

Affected Version(s)

References

CVSS V3.1

Timeline