Package impact

npm / ghost

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Flags	OS	Vendor	Published	Description
CVE-2026-26980	high	7.5	8.5				3mo ago	Ghost has a SQL injection in Content API
CVE-2026-22597	low	2.7	2.7				5mo ago	Ghost has SSRF via External Media Inliner
CVE-2023-40028	unknown	—	1.0				3y ago	Ghost vulnerable to arbitrary file read via symlinks in content import
CVE-2023-32235	unknown	—	1.0				3y ago	Path Traversal in Ghost
CVE-2026-29784	unknown	—	—				3mo ago	Ghost has incomplete CSRF protections around OTC use
CVE-2026-29053	unknown	—	—				3mo ago	Ghost Vulnerable to Remote Code Execution via Malicious Themes
CVE-2026-24778	unknown	—	—				4mo ago	Ghost vulnerable to XSS via malicious Portal preview links
CVE-2026-22596	unknown	—	—				5mo ago	Ghost has SQL Injection in Members Activity Feed
CVE-2026-22595	unknown	—	—				5mo ago	Ghost has Staff Token permission bypass
CVE-2026-22594	unknown	—	—				5mo ago	Ghost has Staff 2FA bypass
CVE-2025-9862	unknown	—	—				9mo ago	Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark
CVE-2024-43409	unknown	—	—				2y ago	Ghost's improper authentication allows access to member information and actions
CVE-2024-23724	unknown	—	—				2y ago	Ghost has possible Cross-site Scripting issue
CVE-2024-23725	unknown	—	—				2y ago	Cross-site Scripting in Ghost
CVE-2023-31133	unknown	—	—				3y ago	Ghost vulnerable to information disclosure of private API fields
CVE-2022-41654	unknown	—	—				4y ago	ghost vulnerable to unauthorized newsletter modification via improper access controls
CVE-2022-27139	unknown	—	—				4y ago	Arbitrary file upload in Ghost
CVE-2022-28397	unknown	—	—				4y ago	Arbitrary file upload in Ghost
CVE-2021-39192	unknown	—	—				5y ago	Privilege escalation: all users can access Admin-level API keys
CVE-2020-8134	unknown	—	—				5y ago	Server-side request forgery in Ghost CMS
CVE-2021-29484	unknown	—	—				5y ago	DOM XSS in Theme Preview