CVE-2026-29053
Ghost Vulnerable to Remote Code Execution via Malicious Themes
Description
### Impact Specifically crafted malicious themes can execute arbitrary code on the server running Ghost. ### Vulnerable Versions This vulnerability is present in Ghost v0.7.2 to v6.19.0. ### Patches v6.19.1 contains a fix for this issue. ### Workarounds Ghost generally recommends users refrain from installing untrusted themes. If a malicious theme has already been installed, it is recommended to uninstall the theme and then inspect it to understand its impact, which will be attack-specific. ### References Ghost thanks Cristian-Alexandru Staicu at Endor Labs for disclosing this vulnerability responsibly. ### For more information If there are any questions or comments about this advisory, email Ghost at [security@ghost.org](mailto:security@ghost.org).
How to fix CVE-2026-29053
To remediate CVE-2026-29053, upgrade the affected package to a fixed version below.
- —upgrade to 6.19.1 or later
- —upgrade to 6.19.1 or later
Is CVE-2026-29053 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 0.7.2, < 6.19.1
- >= 0.7.2, < 6.19.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.6 | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H |