CVE-2026-29053
Published: 05 March 2026
Summary
CVE-2026-29053 is a high-severity Injection (CWE-74) vulnerability in Ghost Ghost. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-29053 is an arbitrary code execution vulnerability affecting Ghost, a Node.js content management system. The flaw exists in versions 0.7.2 through 6.19.0, where specifically crafted malicious themes can execute arbitrary code on the server running Ghost. It is classified under CWE-74 (Injection) with a CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H), indicating high severity due to its potential impact across confidentiality, integrity, and availability.
Exploitation requires a high-privilege user, such as an administrator, to interact with a malicious theme, likely by uploading or installing it via the Ghost admin interface over a network connection. The high attack complexity and user interaction prerequisites limit feasibility, but successful exploitation grants attackers a scope change with server-side code execution privileges, enabling full compromise of the hosting environment.
The issue has been addressed in Ghost version 6.19.1. Additional details on the vulnerability and patch are available in the GitHub Security Advisory at https://github.com/TryGhost/Ghost/security/advisories/GHSA-cgc2-rcrh-qr5x. Security practitioners should upgrade to the patched version and review theme sources for any signs of compromise.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9788
Vulnerability details
Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via crafted malicious theme upload in public-facing Node.js CMS (Ghost) directly enables T1190 for initial server compromise and T1059.007 for JavaScript-based arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely remediation through upgrading Ghost to the patched version 6.19.1.
Prevents high-privilege users from installing specifically crafted malicious themes that enable arbitrary code execution.
Provides malicious code scanning and protection mechanisms to identify and block crafted themes containing exploitable code during upload or installation.