@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0.
{
"severity": "High",
"cpes": [
"cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*"
]
}