CVE-2026-24778
Ghost vulnerable to XSS via malicious Portal preview links
Description
### Impact An attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. ### Vulnerable versions This vulnerability is present in Ghost versions: - v5.43.0 to v5.120.4 - v6.0.0 to v6.14.0 As well as in Portal versions: - v2.29.1 to v2.51.4 - v2.52.0 to v2.57.0 ### Patches Ghost automatically loads the latest patch of the members Portal component via CDN. Therefore: - For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability (loads Portal v2.51.5, which contains the patch) - For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability (loads Portal v2.57.1, which contains the patch) For Ghost installations using a customised or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version. ### References Ghost thanks Younes Belalia for discovering and disclosing this vulnerability responsibly. ### For more information If users have any questions or comments about this advisory, email Ghost at [security@ghost.org](mailto:security@ghost.org).
How to fix CVE-2026-24778
To remediate CVE-2026-24778, upgrade the affected package to a fixed version below.
- —upgrade to 5.121.0 or later
- —upgrade to 5.121.0 or later
- —upgrade to 2.51.5 or later
Is CVE-2026-24778 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 5.43.0, < 5.121.0, >= 6.0.0, < 6.15.0