CVE-2026-53950

HIGH 7.5

@tryghost/activitypub: XSS in Ghost's ActivityPub client

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0.

CWE	CWE-79
Vendor	tryghost
Product	ghost
Published	Jun 24, 2026
Last Updated	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for tryghost ghost

Be the first to know when new high vulnerabilities affecting tryghost ghost are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

TryGhost / Ghost

< 3.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/TryGhost/Ghost/security/advisories/GHSA-xpp7-93x6-v29m