- CVE: CVE-2026-53943
- CVSS: 9.6 (Critical · CVSSv3)
- Product: ghost (npm)
- Affected: >= 4.0.0, <= 6.36.0
- Impact: Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header
- Status: No confirmed exploitation yet
- Patched in: 6.37.0
- EPSS: 0.2% (30-day)
- Action: Update to 6.37.0 now
Ghost released version 6.37.0 to fix a critical cache poisoning bug. The Ghost cache poisoning flaw, tracked as CVE-2026-53943, scores 9.6 on the CVSS scale. An unauthenticated attacker can abuse it to hijack staff accounts on some setups.
Why This Ghost Cache Poisoning Bug Matters
Ghost powers tens of thousands of sites and serves hundreds of millions of requests each day. Big names like Mozilla, DuckDuckGo, and Cloudflare rely on it. As a result, one shared-cache flaw can reach a huge audience.
The bug needs no login, and the fix already ships. Therefore, exposed sites should update without delay.
How the Attack Works
Many Ghost sites sit behind a shared cache such as Fastly, Cloudflare, or nginx. The cache key, however, ignores the x-ghost-preview header. So the server can store a preview response under the same key as the public page.
An attacker sends a crafted x-ghost-preview header to a normal URL. The poisoned preview output then lands in the shared cache. Later visitors to that page receive the attacker’s injected content instead.
From Cache Poisoning to Account Takeover
When the frontend and admin panel share one domain, the injected script can read session cookies. Consequently, an attacker can hijack staff accounts. Sites that split these onto separate domains avoid this exposure.
Affected Versions
The flaw affects Ghost from v4.0 through v6.36.0. Version 6.37.0 delivers the fix. Additionally, you can check each build on the official Ghost releases page.
Patch and Mitigation
Update to Ghost 6.37.0 or later right away. If you cannot patch yet, set your cache layer to bypass requests carrying the x-ghost-preview header. Suspect a breach? Use the “Reset all authentication” option under Settings, added in v6.41.0. The official GitHub advisory lists the full details.
No public exploit or in-the-wild abuse has been reported. A researcher known as CryptoCat disclosed the issue responsibly. Even so, the high score makes fast action on this Ghost cache poisoning flaw wise.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.