Advisories for Npm/@Tryghost/Portal package

2026

Ghost vulnerable to XSS via malicious Portal preview links

An attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover.

2024

Ghost's improper authentication allows access to member information and actions

Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information.