CVE-2026-29784

Name of the Vulnerable Software and Affected Versions Ghost versions 5.101.6 through 6.19.2

Description Incomplete CSRF protections around the /session/verify API endpoint allowed the use of One-Time Codes (OTCs) in login sessions different from the requesting session. This could potentially allow attackers to take over a Ghost site through phishing attacks.

Recommendations Update to version 6.19.3 or later.