CVE-2026-24778 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2026-24778?

CVE-2026-24778 has a CVSS score of 8.8 (HIGH). This is a cross-site scripting (XSS) vulnerability in Ghost CMS that allows attackers to craft malicious links. When authenticated staff users or members click these links, JavaScript executes with their permissions, potentially leading to account takeover. Affected versions include Ghost 5.43.0-5.12.04, 6.0.0-6.14.0, and Portal 2.29.1-2.51.4, 2.52.0-2.57.0.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in Ghost CMS that allows attackers to craft malicious links. When authenticated staff users or members click these links, JavaScript executes with their permissions, potentially leading to account takeover. Affected versions include Ghost 5.43.0-5.12.04, 6.0.0-6.14.0, and Portal 2.29.1-2.51.4, 2.52.0-2.57.0.

💻 Affected Systems

Products:

Ghost CMS
Ghost Portal

Versions: Ghost 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0; Portal 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Ghost installations using CDN-loaded Portal components are automatically vulnerable. Custom or self-hosted Portal installations require manual updates.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of administrative staff users leading to full system compromise, data theft, and website defacement.

🟠

Likely Case

Session hijacking and privilege escalation for authenticated users, potentially leading to unauthorized content modifications.

🟢

If Mitigated

Limited impact if proper content security policies and user awareness training are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (clicking malicious link) but is straightforward once the link is crafted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Ghost 5.121.0+ or 6.15.0+; Portal 2.51.5+ or 2.57.1+

Vendor Advisory: https://github.com/TryGhost/Ghost/security/advisories/GHSA-gv6q-2m97-882h

Restart Required: Yes

Instructions:

1. For Ghost 5.x: Upgrade to v5.121.0 or later. 2. For Ghost 6.x: Upgrade to v6.15.0 or later. 3. For custom Portal installations: Manually update to Portal v2.51.5+ (for Ghost 5.x) or v2.57.1+ (for Ghost 6.x). 4. Restart Ghost service after upgrade.

🔧 Temporary Workarounds

Content Security Policy (CSP)

all

Implement strict CSP headers to block inline JavaScript execution and restrict script sources.

User Awareness Training

all

Train staff and members to avoid clicking suspicious links and recognize phishing attempts.

🧯 If You Can't Patch

Implement strict Content Security Policy headers to mitigate XSS impact
Disable or restrict member/staff access to external links within the CMS

🔍 How to Verify

Check if Vulnerable:

Check Ghost version via admin panel or run: ghost version

Check Version:

ghost version

Verify Fix Applied:

Confirm Ghost version is 5.121.0+ or 6.15.0+ and Portal version is 2.51.5+ or 2.57.1+

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution in user sessions
Suspicious URL parameters in access logs

Network Indicators:

Requests containing malicious script payloads in URL parameters

SIEM Query:

source="ghost_access.log" AND (url="*javascript:*" OR url="*<script>*")

📊 Metadata

CVE ID: CVE-2026-24778

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

EPSS Score: 0.04% exploit probability (10.7th percentile)

Published: January 27, 2026

Last Updated: February 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24778, you might also want to check these: