Home > Vulnerability Database > CVE-2026-22597

Mend.io Vulnerability Database

CVE-2026-22597

Good to know:

Date: January 9, 2026

Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0.

Severity Score

4.1

Related Resources (6)

Url: https://github.com/TryGhost/Ghost/commit/15d49131ff4aac3aca8642501c793f01f2bfcbb9

Url: https://github.com/TryGhost/Ghost

Url: https://github.com/TryGhost/Ghost/commit/93add549ccf079d8e28bdb724fbb71a76942ff51

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22597

Url: https://github.com/TryGhost/Ghost/security/advisories/GHSA-vmc4-9828-r48r

Url: https://www.mend.io/vulnerability-database/CVE-2026-22597

Severity Score

4.1

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version ghost - 6.11.0;ghost - 5.130.6

Learn More

CVSS v3.1

Base Score:	4.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22597

Good to know:

Date: January 9, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?