Security update available for Ghost 4.x and 5.x

We’ve been made aware of a security vulnerability in Ghost versions 4.x prior to 4.48.2 and 5.x prior to 5.2.3. This is patched in the latest releases, which have already been rolled out on Ghost(Pro). Self-hosters should update to 5.2.3 (or 4.48.2 for those still on v4) as soon as possible.


A vulnerability in an upstream library means an authenticated Admin user can abuse locale input to execute arbitrary commands from a file that has previously been uploaded using the file upload functionality in the post editor.


Ghost(Pro) has already been patched. As Ghost(Pro) is maintained by the Ghost core team, it is always patched immediately when any security incident is reported.

Patch & Workarounds:

Patched versions of Ghost add validation to the locale input to prevent execution of arbitrary files. Updating Ghost is the quickest complete solution.

As a workaround, if for any reason you cannot update your Ghost instance, you can block the POST /ghost/api/admin/settings/endpoint, which will also disable updating settings for your site.


Full details of the vulnerability have been published through GitHub Advisories . We’ve also published a notification to all affected sites that will appear in Ghost Admin and shared the details here on the forum. Affected Ghost sites will also self-notify site owners by email.

We’re grateful to everyone finding and reporting vulnerabilities responsibly following our security policy .


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.