CVE-2026-53946

MEDIUM 5.4

Ghost: Mobiledoc image-size fetch SSRF

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, when re-rendering posts, Ghost would refetch missing image dimensions by issuing an outbound HTTP request to the URL stored on an image card — without restricting that URL to trusted image hosts. An authenticated staff user able to create or edit posts could therefore point an image card at an attacker-chosen host and cause the Ghost server to request it on their behalf, including hosts on internal networks or cloud instance metadata endpoints that would not normally be reachable from the public internet. This vulnerability is fixed in 6.21.1.

CWE	CWE-918
Vendor	tryghost
Product	ghost
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for tryghost ghost

Be the first to know when new medium vulnerabilities affecting tryghost ghost are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

TryGhost / Ghost

>= 6.19.4, < 6.21.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/TryGhost/Ghost/security/advisories/GHSA-g366-23fw-ggp6