Home > Vulnerability Database > CVE-2026-22595

Mend.io Vulnerability Database

CVE-2026-22595

Good to know:

Date: January 9, 2026

Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. External systems that have been authenticated via Staff Tokens for Admin/Owner-role users would have had access to these endpoints. This issue has been patched in versions 5.130.6 and 6.11.0.

Severity Score

8.1

Related Resources (6)

Url: https://github.com/TryGhost/Ghost/commit/9513d2a35c21067127ce8192443d8919ddcefcc8

Url: https://github.com/TryGhost/Ghost

Url: https://github.com/TryGhost/Ghost/security/advisories/GHSA-9xg7-mwmp-xmjx

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22595

Url: https://github.com/TryGhost/Ghost/commit/c3017f81a5387b253a7b8c1ba1959d430ee536a3

Url: https://www.mend.io/vulnerability-database/CVE-2026-22595

Severity Score

8.1

Weakness Type (CWE)

Incorrect Authorization

CWE-863

Top Fix

Upgrade Version

Upgrade to version ghost - 6.11.0;ghost - 5.130.6;https://github.com/TryGhost/Ghost.git - v5.130.6;https://github.com/TryGhost/Ghost.git - v6.11.0

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22595

Good to know:

Date: January 9, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?