Arbitrary File Upload Affecting ghost package, versions >=6.19.4 <6.21.2


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.13% (4th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary File Upload vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-GHOST-17823278
  • published6 Jul 2026
  • disclosed24 Jun 2026
  • creditUnknown

Introduced: 24 Jun 2026

NewCVE-2026-53948  (opens in a new tab)
CWE-434  (opens in a new tab)

How to fix?

Upgrade ghost to version 6.21.2 or higher.

Overview

ghost is a publishing platform

Affected versions of this package are vulnerable to Arbitrary File Upload through the Admin API /files/upload endpoint in ghost/core/core/server/api/endpoints/files.js. An attacker can make uploaded files be served with an attacker-chosen content type by sending a file upload request with a forged Content-Type value. The endpoint passed the client-supplied MIME type to the storage adapter when saving files, so S3/GCS-backed installations could store and later serve an uploaded file as text/html or another active type. On sites that serve uploaded assets from the same origin, this can be used to deliver stored cross-site scripting to visitors or staff.

Notes

  • On self-hosted installs using S3/GCS-backed file storage, the uploaded object metadata is what later drives the content type served from the storage backend; local filesystem storage is not the same exposure.
  • The vulnerable path was the Admin API upload flow, so the spoofed type came from authenticated upload requests rather than public file-serving endpoints.

CVSS Base Scores

version 4.0
version 3.1