GHSA-9m84-wc28-w895

Source

https://github.com/advisories/GHSA-9m84-wc28-w895

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-9m84-wc28-w895/GHSA-9m84-wc28-w895.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9m84-wc28-w895

Aliases

Published

2026-03-05T00:42:55Z

Modified

2026-03-10T09:26:17.416781Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Ghost has incomplete CSRF protections around OTC use

Details

Impact

Incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site.

Vulnerable versions

This vulnerability is present in Ghost from v5.101.6 up to v6.19.2.

Patches

v6.19.3 contains a fix for this issue.

How to update

For self-hosters using Docker, find Docker's official Ghost image here. Updating a Docker-based Ghost instance is documented here.

If a project's Ghost is a Ghost-CLI install see the documentation on updating it to the latest version here.

For more information

If there are any questions or comments about this advisory, send an email to security@ghost.org.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352"
    ],
    "nvd_published_at": "2026-03-07T16:15:55Z",
    "github_reviewed_at": "2026-03-05T00:42:55Z",
    "severity": "HIGH"
}

References

Affected packages

npm / ghost

Package

Name: ghost; View open source insights on deps.dev
Purl: pkg:npm/ghost

Affected ranges

Type: SEMVER
Events: Introduced

5.101.6

Fixed

6.19.3

Database specific

last_known_affected_version_range

"<= 6.19.2"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-9m84-wc28-w895/GHSA-9m84-wc28-w895.json"