CVE Catalog

CVE-2026-53944

MediumCVSS 5.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

Ghost is a Node.js content management system. From versions 6.0.9 to 6.21.1, it is possible to bypass the IP filter when making an external request, allowing it to target an internal service using an IPv6 literal that maps to a private IPv4 address.

Risk Assessment

Bypassing the IP filter may lead to unauthorized access to internal services, posing a significant security risk to the organization.

Recommendation

It is recommended to update Ghost to version 6.21.1 or later to mitigate this vulnerability.

Original NVD description (English source)

Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS