SCA: security update for ghost (GHSA-62q6-4hv4-vjrw)

critical Tenable Cloud Security Plugin ID 444259

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared caching
layer that results in cached content being shared between different visitors, an unauthenticated user
could send an x-ghost-preview header that altered the rendered frontend response. In affected cache
configurations, that response could be stored and served to subsequent visitors requesting the same page,
allowing cache poisoning of request-specific preview output. When running Ghost's frontend and admin panel
on the same domain this could be used to take over staff user accounts. When running these on different
domains staff accounts have no exposure. This vulnerability is fixed in 6.37.0. (CVE-2026-53943)

Solution

Update the ghost library and its related packages to version 6.37.0 or later.

See Also

https://github.com/advisories/GHSA-62q6-4hv4-vjrw

Plugin Details

Severity: Critical

ID: 444259

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 7/2/2026

Updated: 7/2/2026

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.19

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-53943

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 8.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/1/2026

Vulnerability Publication Date: 6/24/2026

Reference Information

CVE: CVE-2026-53943

cwe: CWE-524