CVE-2023-26510

MEDIUM
Published Mar 5, 20233y ago · Modified Jun 17, 20261w ago
5.7 CVSS 3.1
Medium
Find Similar
Published Mar 5, 2023 3y ago
Last Modified Jun 17, 2026 1w ago

Description

Ghost 5.35.0 allows authorization bypass: contributors can view draft posts of other users, which is arguably inconsistent with a security policy in which a contributor's draft can only be read by editors until published by an editor. NOTE: the vendor's position is that this behavior has no security impact.

CVSS Details

Base Score
5.7
Exploitability
2.1
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-862 Missing Authorization Authorization

Affected Products 1

VendorProductVersionRange
ghostghost5.35.0any

References 3

  • ghost.org https://ghost.org/docs/security/
    Vendor Advisory
  • gist.github.com https://gist.github.com/yurahod/2e11eabbe4b92ef1d44b08e37023ecfb
    Third Party Advisory
  • gist.github.com https://gist.github.com/yurahod/828d5e6a077c12f3f74c6485d1c7f0e7
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.