Main Vulnerability Database Vulnerabilities #VU128206

Cross-site scripting in Ghost - CVE-2026-24778

Published: April 27, 2026

Vulnerability identifier: #VU128206

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2026-24778

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Ghost

Affected software:
Ghost

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary JavaScript in the victim's browser.

The vulnerability exists due to cross-site scripting in Portal preview links when handling crafted links. A remote attacker can send a specially crafted link to execute arbitrary JavaScript in the victim's browser.

User interaction is required, and the link must be accessed by an authenticated staff user or member.

How to mitigate CVE-2026-24778

Install security update from vendor's website.

Sources

https://github.com/TryGhost/Ghost/security/advisories/GHSA-gv6q-2m97-882h

Cross-site scripting in Ghost - CVE-2026-24778

Detailed vulnerability description

How to mitigate CVE-2026-24778

Sources

Please verify you're human