CVE-2026-53944
Ghost: Private IP filtering bypass to make server-side requests to internal services
CVSS Score
5.8
EPSS Score
0.0%
EPSS Percentile
0th
Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.
| CWE | CWE-184 CWE-918 |
| Vendor | tryghost |
| Product | ghost |
| Published | Jun 24, 2026 |
| Last Updated | Jun 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for tryghost ghost
Be the first to know when new medium vulnerabilities affecting tryghost ghost are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
Affected Versions
TryGhost / Ghost
>= 6.0.9, < 6.21.1