CVE-2026-53945
MediumCVSS 4.0Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
Ghost is a Node.js content management system. From versions 6.0.9 to 6.21.1, the private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks.
Risk Assessment
This vulnerability may lead to unauthorized access to internal organizational resources, posing a serious threat to data security.
Recommendation
It is recommended to update Ghost to version 6.21.1 or later to mitigate this vulnerability.
Original NVD description (English source)
Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks through features that issue external fetches. This vulnerability is fixed in 6.21.1.

