Ghost vulnerable to XSS via malicious Portal preview links

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version.

Basic Information

ID CVE-2026-24778

Source GitHub_M

Published Jan 27, 2026 at 21:57

Affected Product

Vendor TryGhost

Product Ghost

Version @tryghost/portal >= 2.29.1, < 2.51.5

Affected Versions TryGhost Ghost @tryghost/portal >= 2.29.1, < 2.51.5
TryGhost Ghost @tryghost/portal >= 2.52.0, < 2.57.1
TryGhost Ghost ghost >= 5.43.0, < 5.121.0
TryGhost Ghost ghost >= 6.0.0, < 6.15.0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version.",
    "published": "2026-01-27T21:57:45.298Z",
    "modified": "2026-01-27T21:57:45.298Z",
    "type": "cve",
    "title": "Ghost vulnerable to XSS via malicious Portal preview links",
    "source": "GitHub_M",
    "references": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-gv6q-2m97-882h\nhttps://github.com/TryGhost/Ghost/commit/da858e640e88e69c1773a7b7ecdc2008fa143849",
    "id": "CVE-2026-24778",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "TryGhost Ghost @tryghost/portal >= 2.29.1, < 2.51.5\nTryGhost Ghost @tryghost/portal >= 2.52.0, < 2.57.1\nTryGhost Ghost ghost >= 5.43.0, < 5.121.0\nTryGhost Ghost ghost >= 6.0.0, < 6.15.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Ghost",
    "version": "@tryghost/portal >= 2.29.1, < 2.51.5",
    "vendor": "TryGhost",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Ghost vulnerable to XSS via malicious Portal preview links_CVE-2026-24778