CVE-2026-29784
Ghost has incomplete CSRF protections around OTC use
Description
### Impact Incomplete CSRF protections around `/session/verify` made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. ### Vulnerable versions This vulnerability is present in Ghost from v5.101.6 up to v6.19.2. ### Patches v6.19.3 contains a fix for this issue. ### How to update For self-hosters using Docker, find [Docker's official Ghost image here](https://hub.docker.com/_/ghost). Updating a Docker-based Ghost instance [is documented here](https://docs.ghost.org/install/docker#updating-ghost). If a project's Ghost is a Ghost-CLI install see the documentation on [updating it to the latest version here](https://docs.ghost.org/update). ### For more information If there are any questions or comments about this advisory, send an email to [security@ghost.org](mailto:security@ghost.org).
How to fix CVE-2026-29784
To remediate CVE-2026-29784, upgrade the affected package to a fixed version below.
- —upgrade to 6.19.3 or later
- —upgrade to 6.19.3 or later
Is CVE-2026-29784 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 5.101.6, < 6.19.3
- >= 5.101.6, < 6.19.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |