Cyber Resilience

CVE-2026-24778

High

Published: 27 January 2026

Published
27 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0026 16.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24778 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Ghost Ghost. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-24778 is a cross-site scripting (XSS) vulnerability (CWE-79) in the Ghost open-source content management system, stemming from the Ghost Portal component. It affects Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, as well as Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0. The issue arises because Ghost automatically loads the Portal component via CDN, and vulnerable versions allow execution of injected JavaScript. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An unauthenticated attacker (PR:N) over the network (AV:N) can craft a malicious link with low complexity (AC:L) that requires user interaction (UI:R) to exploit. When an authenticated staff user or member accesses the link, it executes arbitrary JavaScript in the context of the victim's permissions, potentially enabling full account takeover through session hijacking, credential theft, or further privilege escalation within the Ghost instance.

Mitigation requires upgrading affected Ghost installations: for 5.x users, to version 5.121.0 or later, which loads the patched Portal v2.51.5; for 6.x users, to v6.15.0 or later, which loads Portal v2.57.1. Installations using customized or self-hosted Portal versions must manually rebuild from or update to the latest patched Portal release. Details are available in the Ghost security advisory (GHSA-gv6q-2m97-882h) and the fixing commit (da858e640e88e69c1773a7b7ecdc2008fa143849).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript…

more

with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

XSS in public-facing Ghost Portal enables arbitrary JS execution (T1059.007) via malicious link to the app (T1190) and direct session cookie theft for account takeover (T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29053Same product: Ghost Ghost
CVE-2026-22596Same product: Ghost Ghost
CVE-2026-22594Same product: Ghost Ghost
CVE-2026-29784Same product: Ghost Ghost
CVE-2026-26980Same product: Ghost Ghost
CVE-2026-22595Same product: Ghost Ghost
CVE-2026-27099Shared CWE-79
CVE-2026-25442Shared CWE-79
CVE-2026-1008Shared CWE-79
CVE-2025-23683Shared CWE-79

Affected Assets

ghost
ghost
5.43.0 — 5.121.0 · 6.0.0 — 6.15.0
ghost
portal
2.29.1 — 2.51.5 · 2.52.0 — 2.57.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 directly mandates identifying, reporting, and correcting flaws like this XSS vulnerability through timely patching of affected Ghost and Portal versions.

prevent

SI-15 requires filtering information outputs to prevent execution of injected JavaScript from malicious links in the Ghost Portal component.

prevent

SI-10 enforces validation of inputs such as crafted malicious links to block the XSS payload before it reaches authenticated users.

References