Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Ghost: CSRF Protection Allows Potential Phishing Takeovers
GHSA-9m84-wc28-w895
CVE-2026-29784
GHSA-9m84-wc28-w895
BIT-ghost-2026-29784
Summary
Ghost's login system had a flaw that made it easier for attackers to take control of a website. This weakness was fixed in version 6.19.3. Update to the latest version to protect your site.
What to do
- Update ghost to version 6.19.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | ghost | > 5.101.6 , <= 6.19.2 | 6.19.3 |
| – | ghost | > 5.101.6 , <= 6.19.3 | 6.19.3 |
| ghost | ghost | > 5.101.6 , <= 6.19.3 | – |
Original title
Ghost: Incomplete CSRF protections around OTC use
Original description
Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3.
ghsa CVSS3.1
7.5
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026