CVE-2026-29053
Ghost Vulnerable to Remote Code Execution via Malicious Themes
CVSS Score
7.7
EPSS Score
0.0%
EPSS Percentile
0th
Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.
| CWE | CWE-74 |
| Vendor | tryghost |
| Product | ghost |
| Published | Mar 5, 2026 |
| Last Updated | Mar 5, 2026 |
Stay Ahead of the Next One
Get instant alerts for tryghost ghost
Be the first to know when new high vulnerabilities affecting tryghost ghost are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
TryGhost / Ghost
>= 0.7.2, < 6.19.1