CVE-2026-53944
Published
CVSS v3
5.8
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT
Description
Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.
Independent technology for modern publishing, memberships, subscriptions and newsletters.
GitHub