{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29784", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T16:26:02.898Z", "datePublished": "2026-03-07T15:30:38.331Z", "dateUpdated": "2026-03-09T18:26:40.354Z"}, "containers": {"cna": {"title": "Ghost: Incomplete CSRF protections around OTC use", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9m84-wc28-w895", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9m84-wc28-w895"}, {"name": "https://github.com/TryGhost/Ghost/commit/ec065a774fa125953d2aa644a59cd8990329e0a0", "tags": ["x_refsource_MISC"], "url": "https://github.com/TryGhost/Ghost/commit/ec065a774fa125953d2aa644a59cd8990329e0a0"}], "affected": [{"vendor": "TryGhost", "product": "Ghost", "versions": [{"version": ">= 5.101.6, < 6.19.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:30:38.331Z"}, "descriptions": [{"lang": "en", "value": "Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3."}], "source": {"advisory": "GHSA-9m84-wc28-w895", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:39:47.708167Z", "id": "CVE-2026-29784", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:26:40.354Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29784", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T17:39:47.708167Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:39:48.701Z"}}], "cna": {"title": "Ghost: Incomplete CSRF protections around OTC use", "source": {"advisory": "GHSA-9m84-wc28-w895", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "TryGhost", "product": "Ghost", "versions": [{"status": "affected", "version": ">= 5.101.6, < 6.19.3"}]}], "references": [{"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9m84-wc28-w895", "name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9m84-wc28-w895", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/TryGhost/Ghost/commit/ec065a774fa125953d2aa644a59cd8990329e0a0", "name": "https://github.com/TryGhost/Ghost/commit/ec065a774fa125953d2aa644a59cd8990329e0a0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:30:38.331Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29784", "state": "PUBLISHED", "dateUpdated": "2026-03-09T18:26:40.354Z", "dateReserved": "2026-03-04T16:26:02.898Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T15:30:38.331Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7C06A46C-5508-4F64-9563-0605A985A9D1", "versionEndExcluding": "6.19.3", "versionStartIncluding": "5.101.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3."}, {"lang": "es", "value": "Ghost es un sistema de gesti\u00f3n de contenido Node.js. Desde la versi\u00f3n 5.101.6 hasta la 6.19.2, las protecciones CSRF incompletas en torno a /session/verify hicieron posible usar OTCs en sesiones de inicio de sesi\u00f3n diferentes de la sesi\u00f3n solicitante. En algunos escenarios, esto podr\u00eda haber facilitado a los phishers tomar el control de un sitio Ghost. Este problema ha sido parcheado en la versi\u00f3n 6.19.3."}], "id": "CVE-2026-29784", "lastModified": "2026-03-09T20:06:23.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-07T16:15:55.430", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/TryGhost/Ghost/commit/ec065a774fa125953d2aa644a59cd8990329e0a0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9m84-wc28-w895"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.101.6,6.19.3)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "Ghost", "source": "cna", "vendor": "TryGhost"}, "product": "ghost", "vendor": "ghost"}], "analysis": {"en": {"generated_at": "2026-04-17T12:10:18.573912+00:00", "value": {"mitigation_remediation": ["Update Ghost to version 6.19.3 or later to apply the vendor\u2011supplied patch that restores proper CSRF protection on /session/verify.", "Configure Ghost to enforce session binding for OTCs by disabling cross\u2011session OTC reuse or setting the appropriate parameter so that the token must match the originating session.", "Implement or strengthen existing web application firewall rules to reject cross\u2011origin POST requests to /session/verify if CSRF protection is disabled or misconfigured."], "summary": {"action": "Patch now", "impact": "Unauthorized session takeover"}, "threat_synthesis": {"affected_systems": "Affected products are Ghost content\u2011management systems by TryGhost. Any deployment running Ghost versions from 5.101.6 up to and including 6.19.2 is vulnerable. Versions 6.19.3 and later contain the fix and are not affected.", "description_and_impact": "Ghost, the popular Node.js content management system, suffered from a defect in CSRF protection surrounding the /session/verify endpoint. From version 5.101.6 through 6.19.2, the implementation allowed one\u2011time tokens (OTCs) issued in one user session to be used in a different login session. This flaw permits an attacker who is able to submit a forged HTTP request\u2014typically by hosting a malicious page that submits a form or script on behalf of a logged\u2011in user\u2014to trick the victim into re\u2011using an OTC that was created for a distinct session. The result is that the attacker can assume control of the victim\u2019s Ghost site session, effectively performing a full account takeover. The weakness is a classic CSRF flaw (CWE\u2011352).", "risk_and_exploitability": "The CVSS score is 7.5, indicating a high\u2011severity vulnerability. EPSS shows a probability of exploitation lower than 1\u202f%, suggesting currently low but non\u2011zero likelihood. The flaw is not listed in the CISA KEV catalog. Because the issue exploits a CSRF weakness, the attack vector is likely cross\u2011site request forgery\u2014an attacker can lure a logged\u2011in user to load a malicious webpage that submits a request to /session/verify with an OTC from the user\u2019s browser. The attacker needs only to get the victim to interact with a site under their control, making the exploit possible from any location. Although it does not lead directly to code execution, an attacker who gains a site session can modify content, install plugins, or access administrative functions, effectively taking over the Ghost site."}}}}, "created": "2026-03-09T10:05:13.025374+00:00", "updated": "2026-04-17T12:15:18.169323+00:00", "vendors": ["ghost", "ghost$PRODUCT$ghost"]}