CVE Catalog

CVE-2026-53949

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

12th percentile — higher than 12% of all known CVEs

Summary

In the Ghost content management system, from version 5.46.1 to 6.21.2, the validation applied to filters on public API endpoints could be partially bypassed, allowing the disclosure of private fields via a brute force attack. If SQLite was used, password hashes were fully accessible, while in the case of MySQL, the case of the password hashes was lost, potentially rendering further brute force attacks ineffective.

Risk Assessment

Organizations may be exposed to the disclosure of sensitive data, leading to privacy breaches and potential financial losses. The exposure of passwords may also allow unauthorized access to user accounts.

Recommendation

It is recommended to update the Ghost system to version 6.21.2 or later to eliminate this vulnerability. Additionally, consider implementing further security measures, such as limiting login attempts.

Original NVD description (English source)

Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private fields via a brute force attack. If SQLite was used as the database password hashes were fully accessible. If MySQL was used as the database the password hashes' case (uppercase / lowercase) would have been lost, which would likely have rendered a further brute force attack on the discovered hashes fruitless. This vulnerability is fixed in 6.21.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS