Cyber Posture

CVE-2026-29053

High

Published: 05 March 2026

Published
05 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score 7.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0003 7.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29053 is a high-severity Injection (CWE-74) vulnerability in Ghost Ghost. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SA-11 Developer Testing and Evaluation
addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

SI-4 System Monitoring
addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

RCE via crafted malicious theme upload in public-facing Node.js CMS (Ghost) directly enables T1190 for initial server compromise and T1059.007 for JavaScript-based arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.

Deeper analysisAI

CVE-2026-29053 is an arbitrary code execution vulnerability affecting Ghost, a Node.js content management system. The flaw exists in versions 0.7.2 through 6.19.0, where specifically crafted malicious themes can execute arbitrary code on the server running Ghost. It is classified under CWE-74 (Injection) with a CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H), indicating high severity due to its potential impact across confidentiality, integrity, and availability.

Exploitation requires a high-privilege user, such as an administrator, to interact with a malicious theme, likely by uploading or installing it via the Ghost admin interface over a network connection. The high attack complexity and user interaction prerequisites limit feasibility, but successful exploitation grants attackers a scope change with server-side code execution privileges, enabling full compromise of the hosting environment.

The issue has been addressed in Ghost version 6.19.1. Additional details on the vulnerability and patch are available in the GitHub Security Advisory at https://github.com/TryGhost/Ghost/security/advisories/GHSA-cgc2-rcrh-qr5x. Security practitioners should upgrade to the patched version and review theme sources for any signs of compromise.

Details

CWE(s)
CWE-74

Affected Products

ghost
ghost
0.7.2 — 6.19.1

CVEs Like This One

CVE-2026-22596Same product: Ghost Ghost
CVE-2026-22594Same product: Ghost Ghost
CVE-2026-26980Same product: Ghost Ghost
CVE-2026-29784Same product: Ghost Ghost
CVE-2026-22595Same product: Ghost Ghost
CVE-2026-24778Same product: Ghost Ghost
CVE-2026-25520Shared CWE-74
CVE-2026-27194Shared CWE-74
CVE-2026-31816Shared CWE-74
CVE-2026-25814Shared CWE-74

References