Description

Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0.

INFO

Published Date :

2026-01-10T02:56:47.226Z

Last Modified :

2026-01-12T17:53:57.181Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-22594 vulnerability.

Vendors Products
Ghost
  • Ghost
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22594.

URL Resource
https://github.com/TryGhost/Ghost/commit/b59f707f670e6f175b669977724ccf16c718430b cve-icon cve-icon
https://github.com/TryGhost/Ghost/commit/fc7bc2fb0888513498154ec5cb4b21eccb88de07 cve-icon cve-icon
https://github.com/TryGhost/Ghost/security/advisories/GHSA-5fp7-g646-ccf4 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact