Security Advisory - Published 2026-06-25 - Ghost CMS
Ghost CMS cache and member issues: check shared cache and public API logs
This Ghost batch is most urgent for sites using shared caching in front of Ghost, especially when frontend and admin run on the same domain. Patch Ghost, then review cache rules, preview handling, member signin logs, and public API filter usage.
Affected Ghost issues
| CVE | Patch | Review | CVSS |
|---|---|---|---|
| CVE-2026-53943 | Patch | cache | 9.6 |
| CVE-2026-53947 | Patch | members | 5.3 |
| CVE-2026-53949 | Patch | API | 5.3 |
Owner self-check
ghost version 2>/dev/null || grep -Rni 'ghost' package.json yarn.lock package-lock.json 2>/dev/null
grep -Rni 'cache\\|preview\\|members\\|signin\\|api\\|filter' config*.json docker-compose.yml nginx caddy 2>/dev/null
grep -Rni 'x-ghost-preview\\|/ghost/api\\|/members/api\\|signin\\|filter' logs content/logs 2>/dev/null | tail -220What to review
- Ghost version and whether it is at least 6.37.0 for the cache issue.
- Whether the admin panel shares the same domain and cache layer as the public frontend.
- CDN, NGINX, Caddy, or reverse-proxy cache rules for preview and member paths.
- Public API filter logs, member signin logs, and repeated requests against member email addresses.
Safe fix path
- Upgrade Ghost to 6.37.0 or newer for the cache poisoning issue.
- Use 6.21.2 or newer for the public API filter issue and 6.21.1 or newer for the member signin issue.
- Bypass or separate cache for admin, preview, member, and API paths.
- Rotate staff sessions if same-domain cache exposure or suspicious preview traffic is present.
Repair help
Use Ping7 CVE Repair when Ghost shared cache rules, member logs, or public API filters need review before the site is left online.