BIT-ghost-2026-53944

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/ghost/BIT-ghost-2026-53944.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-ghost-2026-53944
Aliases
Published
2026-06-30T23:39:18.559Z
Modified
2026-07-08T08:26:15.470956789Z
Summary
Ghost: Private IP filtering bypass to make server-side requests to internal services
Details

Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.

Database specific
{
    "cpes": [
        "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*"
    ],
    "severity": "Medium"
}
References

Affected packages

Bitnami / ghost

Package

Name
ghost
Purl
pkg:bitnami/ghost

Severity

  • 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
6.0.9
Fixed
6.21.1

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/ghost/BIT-ghost-2026-53944.json"