CVE-2026-53944 — MEDIUM (5.8)

Vulnerability Description

Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.

CVSS Score

5.8

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Related Weaknesses (CWE)

CWE-184 CWE-918

References

https://github.com/TryGhost/Ghost/security/advisories/GHSA-wvp2-4qqp-4h3r

FAQ

What is CVE-2026-53944?

CVE-2026-53944 is a vulnerability with a CVSS score of 5.8 (MEDIUM). Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal servi...

How severe is CVE-2026-53944?

CVE-2026-53944 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-53944?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.