CVE-2026-22595

Опубликовано: 10 янв. 2026

Источник: nvd

CVSS3: 8.1

EPSS Низкий

Описание

Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. External systems that have been authenticated via Staff Tokens for Admin/Owner-role users would have had access to these endpoints. This issue has been patched in versions 5.130.6 and 6.11.0.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*

Версия от 5.121.0 (включая) до 5.130.6 (исключая)

cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*

Версия от 6.0.0 (включая) до 6.11.0 (исключая)

EPSS

Процентиль: 24%

0.00081

Низкий

8.1 High

CVSS3

Дефекты

CWE-863

Связанные уязвимости

CVE-2026-22595

CVSS3: 8.1

debian

10 дней назад

Ghost is a Node.js content management system. In versions 5.121.0 thro ...

GHSA-9xg7-mwmp-xmjx

CVSS3: 8.1

github

11 дней назад

Ghost has Staff Token permission bypass

EPSS

Процентиль: 24%

0.00081

Низкий

8.1 High

CVSS3

Дефекты

CWE-863