Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Ghost Themes Can Execute Malicious Code on Your Server
CVE-2026-29053
GHSA-cgc2-rcrh-qr5x
BIT-ghost-2026-29053
Summary
If you're using Ghost versions 0.7.2 to 6.19.0, a hacker could create a malicious theme that lets them run unauthorized code on your server. This could lead to data theft, website damage, or other security issues. Update to version 6.19.1 to fix this issue.
What to do
- Update ghost-slimer ghost to version 6.19.1.
- Update ghost to version 6.19.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| ghost-slimer | ghost | > 0.7.2 , <= 6.19.0 | 6.19.1 |
| ghost | ghost | > 0.7.2 , <= 6.19.1 | – |
| – | ghost | > 0.7.2 , <= 6.19.1 | 6.19.1 |
Original title
Ghost Vulnerable to Remote Code Execution via Malicious Themes
Original description
Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.
nvd CVSS3.1
7.6
Vulnerability type
CWE-74
Injection
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026