CVE-2026-53947
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
A vulnerability in the Ghost content management system (versions 5.18.0 through 6.21.1) allows an unauthenticated attacker to determine whether a given email address belongs to a registered member. The issue stems from discrepancies in responses from the members signin endpoints.
Risk Assessment
An attacker can perform account enumeration, facilitating targeted social engineering or brute-force attacks on discovered accounts.
Recommendation
Immediately update Ghost to version 6.21.1 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is fixed in 6.21.1.

