QwikSec

Security Database

CVE

CWE

Training

CVE-2026-22597

Published: Jan 10, 2026

Modified: Jan 12, 2026

PUBLISHED

Description

Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0.

Vendor	Product	Versions
TryGhost	Ghost	affected `>= 6.0.0, < 6.11.0` affected `>= 5.38.0, < 5.130.6`

Weaknesses (CWE)

References

https://github.com/TryGhost/Ghost/security/advisories/GHSA-vmc4-9828-r48r

x_refsource_CONFIRM

https://github.com/TryGhost/Ghost/commit/15d49131ff4aac3aca8642501c793f01f2bfcbb9

x_refsource_MISC

https://github.com/TryGhost/Ghost/commit/93add549ccf079d8e28bdb724fbb71a76942ff51

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.