GHSA-gv6q-2m97-882h

Source

https://github.com/advisories/GHSA-gv6q-2m97-882h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gv6q-2m97-882h/GHSA-gv6q-2m97-882h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gv6q-2m97-882h

Aliases

Published

2026-01-28T16:11:59Z

Modified

2026-02-03T09:26:16.637328Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Ghost vulnerable to XSS via malicious Portal preview links

Details

Impact

An attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover.

Vulnerable versions

This vulnerability is present in Ghost versions: - v5.43.0 to v5.120.4 - v6.0.0 to v6.14.0

As well as in Portal versions: - v2.29.1 to v2.51.4 - v2.52.0 to v2.57.0

Patches

Ghost automatically loads the latest patch of the members Portal component via CDN. Therefore: - For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability (loads Portal v2.51.5, which contains the patch) - For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability (loads Portal v2.57.1, which contains the patch)

For Ghost installations using a customised or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version.

References

Ghost thanks Younes Belalia for discovering and disclosing this vulnerability responsibly.

For more information

If users have any questions or comments about this advisory, email Ghost at security@ghost.org.

Database specific

{
    "nvd_published_at": "2026-01-27T22:15:57Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-28T16:11:59Z"
}

References

Affected packages

npm / ghost

Package

Name: ghost; View open source insights on deps.dev
Purl: pkg:npm/ghost

Affected ranges

Type: SEMVER
Events: Introduced

5.43.0

Fixed

5.121.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gv6q-2m97-882h/GHSA-gv6q-2m97-882h.json"

npm / @tryghost/portal

Package

Name: @tryghost/portal; View open source insights on deps.dev
Purl: pkg:npm/%40tryghost/portal

Affected ranges

Type: SEMVER
Events: Introduced

2.29.1

Fixed

2.51.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gv6q-2m97-882h/GHSA-gv6q-2m97-882h.json"

npm / @tryghost/portal

Package

Name: @tryghost/portal; View open source insights on deps.dev
Purl: pkg:npm/%40tryghost/portal

Affected ranges

Type: SEMVER
Events: Introduced

2.52.0

Fixed

2.57.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gv6q-2m97-882h/GHSA-gv6q-2m97-882h.json"

npm / ghost

Package

Name: ghost; View open source insights on deps.dev
Purl: pkg:npm/ghost

Affected ranges

Type: SEMVER
Events: Introduced

6.0.0

Fixed

6.15.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gv6q-2m97-882h/GHSA-gv6q-2m97-882h.json"