Cyber Resilience

CVE-2026-29053

High

Published: 05 March 2026

Published
05 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0037 28.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29053 is a high-severity Injection (CWE-74) vulnerability in Ghost Ghost. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-29053 is an arbitrary code execution vulnerability affecting Ghost, a Node.js content management system. The flaw exists in versions 0.7.2 through 6.19.0, where specifically crafted malicious themes can execute arbitrary code on the server running Ghost. It is classified under CWE-74 (Injection) with a CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H), indicating high severity due to its potential impact across confidentiality, integrity, and availability.

Exploitation requires a high-privilege user, such as an administrator, to interact with a malicious theme, likely by uploading or installing it via the Ghost admin interface over a network connection. The high attack complexity and user interaction prerequisites limit feasibility, but successful exploitation grants attackers a scope change with server-side code execution privileges, enabling full compromise of the hosting environment.

The issue has been addressed in Ghost version 6.19.1. Additional details on the vulnerability and patch are available in the GitHub Security Advisory at https://github.com/TryGhost/Ghost/security/advisories/GHSA-cgc2-rcrh-qr5x. Security practitioners should upgrade to the patched version and review theme sources for any signs of compromise.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

RCE via crafted malicious theme upload in public-facing Node.js CMS (Ghost) directly enables T1190 for initial server compromise and T1059.007 for JavaScript-based arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22596Same product: Ghost Ghost
CVE-2026-26980Same product: Ghost Ghost
CVE-2026-22594Same product: Ghost Ghost
CVE-2026-29784Same product: Ghost Ghost
CVE-2026-22595Same product: Ghost Ghost
CVE-2026-24778Same product: Ghost Ghost
CVE-2026-25520Shared CWE-74
CVE-2026-25814Shared CWE-74
CVE-2026-27727Shared CWE-74
CVE-2026-7770Shared CWE-74

Affected Assets

ghost
ghost
0.7.2 — 6.19.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation through upgrading Ghost to the patched version 6.19.1.

prevent

Prevents high-privilege users from installing specifically crafted malicious themes that enable arbitrary code execution.

preventdetect

Provides malicious code scanning and protection mechanisms to identify and block crafted themes containing exploitable code during upload or installation.

References