HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53943Published Modified CNA GitHub_M

CVE-2026-53943: Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header

Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared caching layer that results in cached content being shared between different visitors, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend response. In affected cache configurations, that response could be stored and served to subsequent visitors requesting the same page, allowing cache poisoning of request-specific preview output. When running Ghost's frontend and admin panel on the same domain this could be used to take over staff user accounts. When running these on different domains staff accounts have no exposure. This vulnerability is fixed in 6.37.0.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Cache-poisoning cross-site scripting (XSS) is present in the Ghost Node.js content management system, affecting versions 4.0.0 through 6.36.x. An unauthenticated attacker can reach the vulnerability over the network by sending a crafted x-ghost-preview header that, when stored by a shared caching layer, injects malicious script content into pages served to subsequent visitors. Successful exploitation allows the attacker to read sensitive data, tamper with page content, and take over staff user accounts on installations where the Ghost frontend and admin panel share a domain. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Ghost images in private registries and CI pipelines. Any image layer carrying an affected Ghost version (4.0.0 through 6.36.x) is flagged automatically on next scan.

Available
Triage

HarborGuard scores this finding at CVSS 9.6 Critical and weights it against each environment's compliance policy to determine urgency and routing. Alerts are directed to the appropriate team inbox within the customer org based on configured ownership rules for the affected image or workload.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Ghost ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Ghost frontend service over the network to deliver the malicious x-ghost-preview header.

  • AuthenticationNot required

    No credentials are needed; the attack is reachable by any unauthenticated HTTP client.

  • Victim interactionRequired

    A legitimate visitor (such as a staff user) must load the cache-poisoned page for the injected script to execute in their browser.

  • Attack complexityDetail

    The exploit is reliable and condition-free once a shared caching layer is in place; no race conditions or special memory layout requirements apply.

Blast Radius

  • Attacker reads session tokens and authentication cookies belonging to staff users who load the poisoned page.
  • Attacker modifies rendered page content served to all visitors hitting the cached URL.
  • Attacker executes arbitrary JavaScript in the browser context of affected users, enabling full account takeover of Ghost staff accounts on same-domain deployments.
  • All three confidentiality, integrity, and availability dimensions are rated High with scope change, meaning impact can extend beyond the Ghost process itself to the broader browser session.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked continuously with no fix version currently published, so the advisory is re-evaluated on every ingest cycle. In the interim, compensating controls are worth considering: network-policy isolation to restrict which upstream proxies or CDN nodes are permitted to cache Ghost frontend responses, egress filtering to limit the domains from which cached content can be replayed, and where operationally feasible, serving the Ghost frontend and admin panel on separate domains to eliminate the staff account takeover path. For customers who opt into auto-remediation, a patched-image rebuild, regression test run, and PR against affected workloads will be generated automatically the moment Ghost publishes a remediated release. Environments without auto-remediation will receive a notification and a ready-to-deploy rebuilt image in the HarborGuard dashboard at that time.

See how HarborGuard automates this
Affected packages
  • TryGhost / Ghost
    >= 4.0.0, < 6.37.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References