CVE-2026-24778
Published: 27 January 2026
Summary
CVE-2026-24778 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Ghost Ghost. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 directly mandates identifying, reporting, and correcting flaws like this XSS vulnerability through timely patching of affected Ghost and Portal versions.
SI-15 requires filtering information outputs to prevent execution of injected JavaScript from malicious links in the Ghost Portal component.
SI-10 enforces validation of inputs such as crafted malicious links to block the XSS payload before it reaches authenticated users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing Ghost Portal enables arbitrary JS execution (T1059.007) via malicious link to the app (T1190) and direct session cookie theft for account takeover (T1539).
NVD Description
Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript…
more
with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version.
Deeper analysisAI
CVE-2026-24778 is a cross-site scripting (XSS) vulnerability (CWE-79) in the Ghost open-source content management system, stemming from the Ghost Portal component. It affects Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, as well as Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0. The issue arises because Ghost automatically loads the Portal component via CDN, and vulnerable versions allow execution of injected JavaScript. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
An unauthenticated attacker (PR:N) over the network (AV:N) can craft a malicious link with low complexity (AC:L) that requires user interaction (UI:R) to exploit. When an authenticated staff user or member accesses the link, it executes arbitrary JavaScript in the context of the victim's permissions, potentially enabling full account takeover through session hijacking, credential theft, or further privilege escalation within the Ghost instance.
Mitigation requires upgrading affected Ghost installations: for 5.x users, to version 5.121.0 or later, which loads the patched Portal v2.51.5; for 6.x users, to v6.15.0 or later, which loads Portal v2.57.1. Installations using customized or self-hosted Portal versions must manually rebuild from or update to the latest patched Portal release. Details are available in the Ghost security advisory (GHSA-gv6q-2m97-882h) and the fixing commit (da858e640e88e69c1773a7b7ecdc2008fa143849).
Details
- CWE(s)