CVE-2026-22594HIGH 8.1EPSS p28.4%

CVE-2026-22594CVE-2026-22594

Description

Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.37% probability of exploitation · percentile 28.4% · 2026-06-18T12:00:27Z
Published2026-01-10
Last modified2026-01-15

Underlying weaknesses· 1

CWE-287

References

  1. https://github.com/TryGhost/Ghost/commit/b59f707f670e6f175b669977724ccf16c718430b
  2. https://github.com/TryGhost/Ghost/commit/fc7bc2fb0888513498154ec5cb4b21eccb88de07
  3. https://github.com/TryGhost/Ghost/security/advisories/GHSA-5fp7-g646-ccf4

1

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-22595
CVE
CVE-2026-29053
CVE
CVE-2026-29784
CVE
CVE-2025-31694
CVE
CVE-2026-8293
CVE
CVE-2026-4924
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.