Main Vulnerability Database Vulnerabilities #VU128202

Command injection in Ghost - #VU128202

Published: September 17, 2021 / Updated: April 27, 2026

Vulnerability identifier: #VU128202

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Ghost

Software vendor:
Ghost

Description

The vulnerability allows a remote attacker to inject commands.

The vulnerability exists due to command injection in the sendmail email transport configuration when using the sendmail transport for mail delivery. A remote attacker can trigger the vulnerable nodemailer sendmail handling to inject commands.

Only sites explicitly configured to use the sendmail transport are vulnerable.

Remediation

Install security update from vendor's website.

External links

https://github.com/TryGhost/Ghost/security/advisories/GHSA-wfrj-qqc2-83cm

Command injection in Ghost - #VU128202

Description

Remediation

External links

Please verify you're human