{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22597", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T21:50:39.532Z", "datePublished": "2026-01-10T02:57:36.898Z", "dateUpdated": "2026-01-12T16:23:47.163Z"}, "containers": {"cna": {"title": "Ghost has SSRF via External Media Inliner", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-vmc4-9828-r48r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-vmc4-9828-r48r"}, {"name": "https://github.com/TryGhost/Ghost/commit/15d49131ff4aac3aca8642501c793f01f2bfcbb9", "tags": ["x_refsource_MISC"], "url": "https://github.com/TryGhost/Ghost/commit/15d49131ff4aac3aca8642501c793f01f2bfcbb9"}, {"name": "https://github.com/TryGhost/Ghost/commit/93add549ccf079d8e28bdb724fbb71a76942ff51", "tags": ["x_refsource_MISC"], "url": "https://github.com/TryGhost/Ghost/commit/93add549ccf079d8e28bdb724fbb71a76942ff51"}], "affected": [{"vendor": "TryGhost", "product": "Ghost", "versions": [{"version": ">= 6.0.0, < 6.11.0", "status": "affected"}, {"version": ">= 5.38.0, < 5.130.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T02:57:36.898Z"}, "descriptions": [{"lang": "en", "value": "Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost\u2019s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0."}], "source": {"advisory": "GHSA-vmc4-9828-r48r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T15:33:44.786773Z", "id": "CVE-2026-22597", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T16:23:47.163Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22597", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T15:33:44.786773Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T15:33:47.677Z"}}], "cna": {"title": "Ghost has SSRF via External Media Inliner", "source": {"advisory": "GHSA-vmc4-9828-r48r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "TryGhost", "product": "Ghost", "versions": [{"status": "affected", "version": ">= 6.0.0, < 6.11.0"}, {"status": "affected", "version": ">= 5.38.0, < 5.130.6"}]}], "references": [{"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-vmc4-9828-r48r", "name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-vmc4-9828-r48r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/TryGhost/Ghost/commit/15d49131ff4aac3aca8642501c793f01f2bfcbb9", "name": "https://github.com/TryGhost/Ghost/commit/15d49131ff4aac3aca8642501c793f01f2bfcbb9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/TryGhost/Ghost/commit/93add549ccf079d8e28bdb724fbb71a76942ff51", "name": "https://github.com/TryGhost/Ghost/commit/93add549ccf079d8e28bdb724fbb71a76942ff51", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost\u2019s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T02:57:36.898Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22597", "state": "PUBLISHED", "dateUpdated": "2026-01-12T16:23:47.163Z", "dateReserved": "2026-01-07T21:50:39.532Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-10T02:57:36.898Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "54BE11DA-FEBF-4266-A8A2-2EFFC9E964F5", "versionEndExcluding": "5.130.6", "versionStartIncluding": "5.38.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "9EC484AC-A1F0-4C13-BFAB-9DA57116957D", "versionEndExcluding": "6.11.0", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost\u2019s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0."}, {"lang": "es", "value": "Ghost es un sistema de gesti\u00f3n de contenido Node.js. En las versiones 5.38.0 a 5.130.5 y 6.0.0 a 6.10.3, una vulnerabilidad en el mecanismo de incrustaci\u00f3n de medios de Ghost permite a los usuarios del personal en posesi\u00f3n de un token de autenticaci\u00f3n v\u00e1lido para la API de administraci\u00f3n de Ghost exfiltrar datos de sistemas internos a trav\u00e9s de SSRF. Este problema ha sido parcheado en las versiones 5.130.6 y 6.11.0."}], "id": "CVE-2026-22597", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-10T03:15:50.860", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/TryGhost/Ghost/commit/15d49131ff4aac3aca8642501c793f01f2bfcbb9"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/TryGhost/Ghost/commit/93add549ccf079d8e28bdb724fbb71a76942ff51"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-vmc4-9828-r48r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:13:48.063392+00:00", "value": {"mitigation_remediation": ["Update Ghost to at least version 5.130.6 or 6.11.0 to apply the official fix.", "If an immediate upgrade is not possible, disable external media inlining or restrict it to a whitelist of trusted domains through Ghost configuration settings.", "Apply network segmentation or firewall rules that block Ghost\u2019s internal endpoints from reaching internal IP ranges used for sensitive services, preventing SSRF traffic to those networks."], "summary": {"action": "Patch immediately", "impact": "Remote data exfiltration via SSRF using valid staff API tokens"}, "threat_synthesis": {"affected_systems": "TryGhost Ghost content management system is affected. The vulnerability exists in all releases from 5.38.0 up to and including 5.130.5 and from 6.0.0 up to 6.10.3. The issue was fixed in Ghost 5.130.6 and 6.11.0.", "description_and_impact": "Ghost 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3 allow a staff user who holds a valid authentication token for the Ghost Admin API to craft media requests that the server will forward to arbitrary URLs. This Server\u2011Side Request Forgery enables the attacker to read data from internal network hosts or servers that would otherwise be unreachable from the Internet, thereby compromising confidentiality of internal resources.", "risk_and_exploitability": "The base CVSS score is 5.1, indicating moderate severity. EPSS is below 1\u202f%, suggesting a low probability that the vulnerability is actively exploited, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an API request that includes a media URL, leveraging a stolen or compromised staff API token. Exploitability requires the attacker to obtain a valid token, after which the SSRF can be used to exfiltrate internal data with relative ease. The overall risk remains moderate, but the low exploitation probability mitigates the urgency somewhat."}}}}, "created": "2026-01-12T14:36:58.288192+00:00", "updated": "2026-04-18T07:15:25.860334+00:00", "vendors": ["ghost", "ghost$PRODUCT$ghost"]}