Incomplete List of Disallowed Inputs Affecting ghost package, versions >=6.0.9 <6.21.2


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.2% (10th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-GHOST-17823150
  • published6 Jul 2026
  • disclosed24 Jun 2026
  • creditl3tchupkt

Introduced: 24 Jun 2026

NewCVE-2026-53944  (opens in a new tab)
CWE-184  (opens in a new tab)

How to fix?

Upgrade ghost to version 6.21.2 or higher.

Overview

ghost is a publishing platform

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs through the isPrivateIp logic in core/server/lib/request-external.js. An attacker can make Ghost send server-side requests to internal services by supplying an external URL that uses an IPv6 literal mapping to a private IPv4 address, such as an expanded IPv4-mapped form that slips past the private-IP check. This lets an attacker reach loopback, link-local, or RFC1918 targets from Ghost’s outbound request handling, exposing internal network services to SSRF-style access and letting the attacker trigger requests against resources the application was meant to block.

CVSS Base Scores

version 4.0
version 3.1