CVE-2026-29784

HIGH 7.5

Ghost: Incomplete CSRF protections around OTC use

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3.

CWE	CWE-352
Vendor	tryghost
Product	ghost
Published	Mar 7, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for tryghost ghost

Be the first to know when new high vulnerabilities affecting tryghost ghost are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

TryGhost / Ghost

>= 5.101.6, < 6.19.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/TryGhost/Ghost/security/advisories/GHSA-9m84-wc28-w895 github.com: https://github.com/TryGhost/Ghost/commit/ec065a774fa125953d2aa644a59cd8990329e0a0