Ghost 6.15 was released with a security fix for an XSS vulnerability in the portal. Bad actors are now aware of the vulnerable, but no new Docker image is available to install with the fix. A fix is being worked out here, in a third-party repo: Docker builds fail …

Here’s public disclosure of the latest SQL injection vuln. @curiositry Note that it describes a temporary mitigation that can be implemented with a reverse proxy that you may have running in front of Ghost. An LLM could help with the specific syntax needed for whichever product you might be using a …

More info on what this is waiting on here: Publish v6.19.1 to Docker opened 10:58PM - 16 Feb 26 UTC (UTC) [image] philipithomas needs:triage …

OK, so I’m confused about why the Docker version is considered “not official” when it’s listed as a preview in the official Ghost docs themselves: [image] How To Install Ghost With Docker (preview) - Ghost Developer Docs Preview our new batteries-included tools for self-hosting Ghost us…

Looks like @tianon has reviewed and merged! [security] Update ghost (#20860) master ← docker-library-bot:ghost opened 11:13PM - 13 Feb 26 UTC (UTC) [image] …

EDIT: While writing this it looks like there might be movement on the revised docker image, so if it’s available shortly, it may be best to wait for that. Original post: For my site, which does not appear to have integrations or other elements that use the following types of API requests: Conten…

Fix is live: ghost - Official Image | Docker Hub Publish by web and email newsletter, with member signups and subscription payments. Thanks for sharing your snippet @mbdmbd . I would have done the same thing with my Nginx reverse proxy, I just didn’t have ti…

[image] curiositry: Fix is live: https://hub.docker.com/\_/ghost It seems to be partially live. The page is reporting both that there are 6.19.1* images available, but also on the right hand side that the latest image is four days old. When I do a docker compose pull it still seems to be get…

Looks like it’s live for me now too :tada:

I just got the fix! I still see the “four days old” but docker pulled the new image.

I’m really appreciative that the Docker image was just updated, thank you to the folks who pulled all this together! I feel like if Docker is a “community-maintained” installation method and not officially supported by Ghost, the docs should really reflect that. I read through the entire installati…

Self-hosters left vulnerable to XSS vuln due to second-class Docker support

Developer help

markstos February 17, 2026, 11:27am 37

There’s an official post in the forum about this now here:

It includes this statement:

We’re actively working on improving when and how we release security updates to the Docker image.

Otherwise it does not contain new information.

2 Likes

Topic		Replies	Views
Self hosted Ghost is from hell? Developer help	23	775	February 5, 2026
Official Docker based ghost from Ghost team itself Ideas 🚧-rejected	3	1303	July 8, 2018
(Docker) Ghost crashes when uploading photos on one machine but not the other Self-hosting	7	327	January 29, 2024
Upgrade fatigue Using Ghost	11	544	June 24, 2023
(Docker) Ghost silently crashes when uploading images Developer help	27	2155	December 22, 2024

Self-hosters left vulnerable to XSS vuln due to second-class Docker support

Related topics