CVE-2026-29053

HIGH7.6EPSS 0.03%

Ghost Vulnerable to Remote Code Execution via Malicious Themes

Published: 3/3/2026Modified: 3/7/2026

Also known as:GHSA-cgc2-rcrh-qr5xBIT-ghost-2026-29053

Description

### Impact Specifically crafted malicious themes can execute arbitrary code on the server running Ghost. ### Vulnerable Versions This vulnerability is present in Ghost v0.7.2 to v6.19.0. ### Patches v6.19.1 contains a fix for this issue. ### Workarounds Ghost generally recommends users refrain from installing untrusted themes. If a malicious theme has already been installed, it is recommended to uninstall the theme and then inspect it to understand its impact, which will be attack-specific. ### References Ghost thanks Cristian-Alexandru Staicu at Endor Labs for disclosing this vulnerability responsibly. ### For more information If there are any questions or comments about this advisory, email Ghost at [[email protected]](mailto:[email protected]).

Affected packages (2)

Bitnami/ghost>= 0.7.2, < 6.19.1
npm/ghost>= 0.7.2, < 6.19.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Description

Affected packages (2)

CVSS scores

References (3)