DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24778: Ghost in the Shell: Unmasking the Portal XSS (CVE-2026-24778)

#security #cve #cybersecurity

Ghost in the Shell: Unmasking the Portal XSS (CVE-2026-24778)

Vulnerability ID: CVE-2026-24778
CVSS Score: 8.8
Published: 2026-01-28

A critical Reflected Cross-Site Scripting (XSS) vulnerability exists in the 'Portal' component of Ghost CMS. By manipulating the configuration options passed via URL parameters in 'preview' mode, attackers can inject malicious JavaScript. This allows unauthenticated actors to execute code in the context of an administrator or member, leading to potential account takeover.

TL;DR

The Ghost CMS 'Portal' membership interface allows configuration overrides via URL for preview purposes. Due to missing sanitization, an attacker can craft a link containing a malicious 'accent color' or 'signup terms' payload. If an admin clicks this link, the attacker's JavaScript executes, potentially stealing session cookies.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79 (Cross-site Scripting)
  • CVSS v3.1: 8.8 (High)
  • Attack Vector: Network (Reflected)
  • Privileges Required: None
  • User Interaction: Required (Clicking Link)
  • EPSS Score: 0.04%
  • Exploit Status: PoC Available

Affected Systems

  • Ghost CMS (Core)
  • Ghost Portal (Standalone Component)
  • Ghost Core (v5): 5.43.0 - 5.120.4 (Fixed in: 5.121.0)
  • Ghost Core (v6): 6.0.0 - 6.14.0 (Fixed in: 6.15.0)
  • @tryghost/portal: 2.29.1 - 2.51.4 (Fixed in: 2.51.5)

Code Analysis

Commit: da858e6

Fix XSS in Portal by sanitizing HTML and validating hex colors

+ import DOMPurify from 'dompurify';
+ const validateHexColor = (color) => { ... };
- <style dangerouslySetInnerHTML={{__html: styles}} />
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Researcher: Exploit utilizes the accent_color URL parameter to break out of a STYLE tag.

Mitigation Strategies

  • Input Sanitization
  • Content Security Policy (CSP)
  • Strict Type Validation

Remediation Steps:

  1. Upgrade Ghost Core to version 5.121.0+ or 6.15.0+
  2. If self-hosting the Portal, update @tryghost/portal to v2.51.5+ or v2.57.1+
  3. Implement a strict Content Security Policy (CSP) that disallows inline scripts ('unsafe-inline')
  4. Clear CDN and browser caches to ensure the patched JavaScript bundle is loaded

References

Read the full report for CVE-2026-24778 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)