{"id":"CVE-2026-53950","summary":"@tryghost/activitypub: XSS in Ghost's ActivityPub client","details":"@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0.","aliases":["GHSA-xpp7-93x6-v29m"],"modified":"2026-06-26T11:57:08.803598816Z","published":"2026-06-24T18:04:25.695Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53950.json","cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53950.json"},{"type":"ADVISORY","url":"https://github.com/TryGhost/Ghost/security/advisories/GHSA-xpp7-93x6-v29m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53950"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tryghost/ghost","events":[{"introduced":"0"},{"fixed":"3832352c5ac17546e826ddf709b6cdc5f4c3182e"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"3.1.0"}]}}],"versions":["@tryghost/members-api@3.0.1","@tryghost/members-importer@0.3.7","@tryghost/members-csv@1.2.2","@tryghost/members-stripe-service@0.5.2","@tryghost/members-ssr@1.0.17","@tryghost/members-payments@0.1.6","@tryghost/members-offers@0.10.4","@tryghost/members-importer@0.3.6","@tryghost/members-csv@1.2.1","@tryghost/members-api@3.0.0","@tryghost/members-analytics-ingress@0.1.6","@tryghost/member-events@0.3.2","@tryghost/member-analytics-service@0.1.5","@tryghost/magic-link@1.0.15","@tryghost/express-dynamic-redirects@0.2.3","@tryghost/domain-events@0.1.4","@tryghost/members-api@2.8.8","@tryghost/members-api@2.8.7","@tryghost/members-api@2.8.6","@tryghost/members-api@2.8.5","@tryghost/members-stripe-service@0.5.1","@tryghost/members-ssr@1.0.16","@tryghost/members-api@2.8.4","@tryghost/members-api@2.8.3","@tryghost/members-importer@0.3.5","@tryghost/members-csv@1.2.0","@tryghost/members-api@2.8.2","@tryghost/members-api@2.8.1","@tryghost/members-api@2.8.0","@tryghost/members-api@2.7.6","@tryghost/express-dynamic-redirects@0.2.2","@tryghost/members-payments@0.1.5","@tryghost/members-offers@0.10.3","@tryghost/members-api@2.7.5","@tryghost/members-stripe-service@0.5.0","@tryghost/members-api@2.7.4","@tryghost/members-payments@0.1.4","@tryghost/members-offers@0.10.2","@tryghost/members-api@2.7.3","@tryghost/members-api@2.7.2","@tryghost/members-api@2.7.1","@tryghost/members-api@2.7.0","@tryghost/members-api@2.6.2","@tryghost/members-api@2.6.1","@tryghost/members-api@2.6.0","@tryghost/members-api@2.5.0","@tryghost/members-payments@0.1.3","@tryghost/members-offers@0.10.1","@tryghost/members-api@2.4.4","@tryghost/members-payments@0.1.2","@tryghost/members-offers@0.10.0","@tryghost/members-api@2.4.3","@tryghost/members-payments@0.1.1","@tryghost/members-offers@0.9.0","@tryghost/members-api@2.4.2","@tryghost/members-stripe-service@0.4.0","@tryghost/members-api@2.4.1","@tryghost/members-stripe-service@0.3.1","@tryghost/members-ssr@1.0.15","@tryghost/members-payments@0.1.0","@tryghost/members-offers@0.8.0","@tryghost/members-importer@0.3.4","@tryghost/members-csv@1.1.8","@tryghost/members-api@2.4.0","@tryghost/members-analytics-ingress@0.1.5","@tryghost/member-events@0.3.1","@tryghost/member-analytics-service@0.1.4","@tryghost/magic-link@1.0.14","@tryghost/express-dynamic-redirects@0.2.1","@tryghost/domain-events@0.1.3","@tryghost/members-offers@0.7.2","@tryghost/members-offers@0.7.1","@tryghost/members-offers@0.7.0","@tryghost/members-api@2.3.0","@tryghost/members-analytics-ingress@0.1.4","@tryghost/member-events@0.3.0","@tryghost/member-analytics-service@0.1.3","@tryghost/members-offers@0.6.2","@tryghost/members-api@2.2.3","@tryghost/members-offers@0.6.1","@tryghost/members-api@2.2.2","@tryghost/members-api@2.2.1","@tryghost/members-api@2.2.0","@tryghost/members-offers@0.6.0","@tryghost/express-dynamic-redirects@0.2.0","@tryghost/members-offers@0.5.0","@tryghost/members-offers@0.4.2","@tryghost/members-api@2.1.1","@tryghost/members-offers@0.4.1","@tryghost/members-offers@0.4.0","@tryghost/members-offers@0.3.5","@tryghost/members-offers@0.3.4","@tryghost/members-offers@0.3.3","@tryghost/members-offers@0.3.2","@tryghost/members-offers@0.3.1","@tryghost/members-offers@0.3.0","@tryghost/members-api@2.1.0","@tryghost/members-offers@0.2.1","@tryghost/members-offers@0.2.0","@tryghost/members-offers@0.1.2","@tryghost/members-offers@0.1.1","@tryghost/members-offers@0.1.0","@tryghost/members-api@2.0.0","@tryghost/members-stripe-service@0.3.0","@tryghost/members-api@1.39.1","@tryghost/express-dynamic-redirects@0.1.0","@tryghost/members-stripe-service@0.2.0","@tryghost/members-ssr@1.0.14","@tryghost/members-importer@0.3.3","@tryghost/members-csv@1.1.7","@tryghost/members-api@1.39.0","@tryghost/members-analytics-ingress@0.1.3","@tryghost/member-events@0.2.1","@tryghost/member-analytics-service@0.1.2","@tryghost/magic-link@1.0.13","@tryghost/domain-events@0.1.2","@tryghost/members-api@1.38.1","@tryghost/members-api@1.38.0","@tryghost/members-api@1.37.5","@tryghost/members-stripe-service@0.1.0","@tryghost/members-api@1.37.4","@tryghost/members-api@1.37.3","@tryghost/members-analytics-ingress@0.1.2","@tryghost/member-analytics-service@0.1.1","@tryghost/members-api@1.37.2","@tryghost/members-api@1.37.1","@tryghost/members-analytics-ingress@0.1.1","@tryghost/members-api@1.37.0","@tryghost/members-analytics-ingress@0.1.0","@tryghost/members-ssr@1.0.13","@tryghost/members-api@1.36.0","@tryghost/member-events@0.2.0","@tryghost/member-analytics-service@0.1.0","@tryghost/magic-link@1.0.12","@tryghost/domain-events@0.1.1","@tryghost/members-api@1.35.0","@tryghost/member-events@0.1.0","@tryghost/domain-events@0.1.0","@tryghost/members-api@1.34.0","@tryghost/members-api@1.33.0","@tryghost/stripe-service@0.1.0","@tryghost/members-api@1.32.1","@tryghost/members-api@1.32.0","@tryghost/members-api@1.31.0","@tryghost/members-api@1.29.3","@tryghost/members-api@1.29.2","@tryghost/members-ssr@1.0.12","@tryghost/members-importer@0.3.2","@tryghost/members-csv@1.1.6","@tryghost/members-api@1.29.1","@tryghost/magic-link@1.0.11","@tryghost/members-api@1.29.0","@tryghost/members-api@1.28.0","@tryghost/members-api@1.27.3","@tryghost/members-api@1.27.2","@tryghost/members-api@1.27.1","@tryghost/members-api@1.27.0","@tryghost/members-api@1.26.0","@tryghost/members-ssr@1.0.11","@tryghost/members-importer@0.3.1","@tryghost/members-csv@1.1.5","@tryghost/members-api@1.25.2","@tryghost/magic-link@1.0.10","@tryghost/members-ssr@1.0.10","@tryghost/members-importer@0.3.0","@tryghost/members-csv@1.1.4","@tryghost/members-api@1.25.1","@tryghost/magic-link@1.0.9","@tryghost/members-importer@0.2.0","@tryghost/members-api@1.25.0","@tryghost/members-api@1.24.1","@tryghost/members-api@1.24.0","@tryghost/members-api@1.23.3","@tryghost/members-ssr@1.0.9","@tryghost/members-importer@0.1.2","@tryghost/members-csv@1.1.3","@tryghost/members-api@1.23.2","@tryghost/magic-link@1.0.8","@tryghost/members-importer@0.1.1","@tryghost/members-api@1.23.1","@tryghost/members-api@1.23.0","@tryghost/members-importer@0.1.0","@tryghost/members-api@1.22.1","@tryghost/members-ssr@1.0.8","@tryghost/members-api@1.22.0","@tryghost/members-api@1.21.0","@tryghost/members-ssr@1.0.7","@tryghost/members-api@1.20.3","@tryghost/magic-link@1.0.7","@tryghost/members-api@1.20.2","@tryghost/members-api@1.20.1","@tryghost/members-ssr@1.0.6","@tryghost/members-csv@1.1.2","@tryghost/members-api@1.20.0","@tryghost/magic-link@1.0.6","@tryghost/members-api@1.19.0","@tryghost/members-api@1.18.1","@tryghost/members-ssr@1.0.5","@tryghost/members-csv@1.1.1","@tryghost/members-api@1.18.0","@tryghost/magic-link@1.0.5","@tryghost/members-api@1.17.0","@tryghost/members-api@1.16.0","@tryghost/members-csv@1.1.0","@tryghost/members-ssr@1.0.4","@tryghost/members-api@1.15.0","@tryghost/magic-link@1.0.4","@tryghost/members-api@1.14.0","@tryghost/members-api@1.13.1","@tryghost/members-api@1.13.0","@tryghost/members-csv@1.0.1","@tryghost/members-api@1.12.0","@tryghost/members-api@1.11.1","@tryghost/members-ssr@1.0.3","@tryghost/members-api@1.11.0","@tryghost/magic-link@1.0.3","@tryghost/members-api@1.10.0","@tryghost/members-api@1.9.0","@tryghost/members-api@1.8.0","@tryghost/members-api@1.7.0","@tryghost/members-api@1.6.1","@tryghost/members-api@1.6.0","@tryghost/members-api@1.5.0","@tryghost/members-api@1.4.0","@tryghost/members-api@1.3.2","@tryghost/members-api@1.3.1","@tryghost/members-ssr@1.0.2","@tryghost/members-api@1.3.0","@tryghost/magic-link@1.0.2","@tryghost/product-repository@0.1.1","@tryghost/members-api@1.2.0","@tryghost/members-ssr@1.0.1","@tryghost/members-api@1.1.1","@tryghost/magic-link@1.0.1","@tryghost/members-api@1.1.0","@tryghost/members-ssr@1.0.0","@tryghost/members-csv@1.0.0","@tryghost/members-api@1.0.0","@tryghost/magic-link@1.0.0","@tryghost/members-api@1.0.0-rc.5","@tryghost/members-csv@1.0.0-rc.2","@tryghost/members-api@1.0.0-rc.4","@tryghost/members-api@0.37.11","@tryghost/members-ssr@0.8.11","@tryghost/members-api@0.37.10","@tryghost/magic-link@0.6.7","@tryghost/members-api@0.37.9","@tryghost/members-csv@0.4.5","@tryghost/members-api@0.37.8","@tryghost/members-ssr@0.8.10","@tryghost/members-api@0.37.7","@tryghost/magic-link@0.6.6","@tryghost/members-csv@0.4.4","@tryghost/members-api@0.37.6","@tryghost/members-api@0.37.5","@tryghost/members-ssr@0.8.9","@tryghost/members-csv@0.4.3","@tryghost/members-api@0.37.4","@tryghost/magic-link@0.6.5","@tryghost/members-ssr@0.8.8","@tryghost/members-api@0.37.3","@tryghost/magic-link@0.6.4","@tryghost/members-api@0.37.2","@tryghost/members-api@0.37.1","@tryghost/members-ssr@0.8.7","@tryghost/members-csv@0.4.2","@tryghost/members-api@0.37.0","@tryghost/magic-link@0.6.3","@tryghost/members-csv@0.4.1","@tryghost/members-csv@0.4.0","@tryghost/members-api@0.36.0","@tryghost/members-ssr@0.8.6","@tryghost/members-csv@0.3.3","@tryghost/members-api@0.35.0","@tryghost/magic-link@0.6.2","@tryghost/members-api@0.34.2","@tryghost/members-csv@0.3.2","@tryghost/members-api@0.34.1","@tryghost/magic-link@0.6.1","@tryghost/members-api@0.34.0","@tryghost/members-api@0.33.3","@tryghost/members-api@0.33.2","@tryghost/members-api@0.33.1","@tryghost/members-api@0.33.0","@tryghost/members-api@0.32.0","@tryghost/members-api@0.31.0","@tryghost/members-api@0.30.1","@tryghost/members-api@0.30.0","@tryghost/members-api@0.29.0","@tryghost/magic-link@0.6.0","@tryghost/members-csv@0.3.1","@tryghost/members-api@0.28.3","@tryghost/magic-link@0.5.0","@tryghost/members-api@0.28.2","@tryghost/members-api@0.28.1","@tryghost/members-api@0.28.0","@tryghost/members-api@0.27.2","@tryghost/members-api@0.27.1","@tryghost/members-api@0.27.0","@tryghost/members-csv@0.3.0","@tryghost/members-api@0.26.0","@tryghost/members-ssr@0.8.5","@tryghost/members-api@0.25.2","@tryghost/magic-link@0.4.13","@tryghost/members-api@0.25.1","@tryghost/members-ssr@0.8.4","@tryghost/members-api@0.25.0","@tryghost/magic-link@0.4.12","@tryghost/members-api@0.24.5","@tryghost/members-api@0.24.4","@tryghost/members-api@0.24.3","@tryghost/members-api@0.24.2","@tryghost/members-ssr@0.8.3","@tryghost/members-api@0.24.1","@tryghost/magic-link@0.4.11","@tryghost/members-api@0.24.0","@tryghost/members-api@0.23.2","@tryghost/members-ssr@0.8.2","@tryghost/members-csv@0.2.1","@tryghost/members-api@0.23.1","@tryghost/magic-link@0.4.10","@tryghost/members-csv@0.2.0","@tryghost/members-csv@0.1.2","@tryghost/members-csv@0.1.1","@tryghost/members-csv@0.1.0","@tryghost/members-api@0.23.0","@tryghost/members-api@0.22.0","@tryghost/members-api@0.21.0","@tryghost/members-ssr@0.8.1","@tryghost/members-api@0.20.1","@tryghost/magic-link@0.4.9","@tryghost/members-ssr@0.8.0","@tryghost/members-api@0.20.0","@tryghost/magic-link@0.4.8","@tryghost/members-api@0.19.0","@tryghost/members-ssr@0.7.10","@tryghost/members-api@0.18.7","@tryghost/magic-link@0.4.7","@tryghost/members-ssr@0.7.9","@tryghost/members-api@0.18.5","@tryghost/magic-link@0.4.6","@tryghost/members-ssr@0.7.8","@tryghost/members-api@0.18.4","@tryghost/magic-link@0.4.5","@tryghost/members-ssr@0.7.7","@tryghost/members-api@0.18.3","@tryghost/magic-link@0.4.4","@tryghost/members-ssr@0.7.6","@tryghost/members-api@0.18.2","@tryghost/magic-link@0.4.3","@tryghost/members-ssr@0.7.5","@tryghost/members-api@0.18.1","@tryghost/magic-link@0.4.2","@tryghost/members-api@0.18.0","@tryghost/members-api@0.17.0","@tryghost/members-api@0.16.2","@tryghost/members-api@0.16.1","@tryghost/members-api@0.16.0","@tryghost/members-api@0.15.1","@tryghost/members-api@0.15.0","@tryghost/magic-link@0.4.1","@tryghost/members-api@0.14.2","@tryghost/members-api@0.14.1","@tryghost/members-api@0.14.0","@tryghost/magic-link@0.4.0","@tryghost/substack-ghost-csv-converter@0.1.0","@tryghost/members-api@0.13.0","@tryghost/members-api@0.12.0","@tryghost/members-api@0.11.4","@tryghost/members-api@0.11.3","@tryghost/members-api@0.11.2","@tryghost/members-api@0.11.1","@tryghost/members-ssr@0.7.4","@tryghost/members-api@0.11.0","@tryghost/magic-link@0.3.3","@tryghost/members-api@0.10.2","@tryghost/members-api@0.10.1","@tryghost/members-ssr@0.7.3","@tryghost/members-api@0.9.0","@tryghost/magic-link@0.3.2","@tryghost/members-ssr@0.7.2","@tryghost/members-api@0.8.3","@tryghost/magic-link@0.3.1","@tryghost/members-ssr@0.7.1","@tryghost/members-api@0.8.2","@tryghost/magic-link@0.3.0","@tryghost/members-api@0.8.1","@tryghost/magic-link@0.2.2","@tryghost/members-ssr@0.7.0","@tryghost/members-api@0.8.0","@tryghost/magic-link@0.2.1","@tryghost/members-api@0.7.7","@tryghost/members-api@0.7.6","@tryghost/members-ssr@0.6.0","@tryghost/members-api@0.7.5","@tryghost/members-api@0.7.4","@tryghost/members-api@0.7.3","@tryghost/members-api@0.7.2","@tryghost/members-api@0.7.1","@tryghost/members-api@0.7.0","@tryghost/magic-link@0.2.0","@tryghost/members-ssr@0.5.2","@tryghost/members-api@0.6.2","@tryghost/magic-link@0.1.4","@tryghost/members-api@0.6.1","@tryghost/members-ssr@0.5.1","@tryghost/members-api@0.6.0","@tryghost/magic-link@0.1.3","@tryghost/members-theme-bindings@0.2.6","@tryghost/members-ssr@0.5.0","@tryghost/members-gateway-api@0.1.7","@tryghost/members-browser-auth@0.2.3","@tryghost/members-api@0.5.3","@tryghost/magic-link@0.1.2","@tryghost/members-api@0.5.2","@tryghost/members-theme-bindings@0.2.5","@tryghost/members-ssr@0.4.0","@tryghost/members-gateway-protocol@0.1.4","@tryghost/members-gateway-api@0.1.6","@tryghost/members-browser-auth@0.2.2","@tryghost/members-auth-pages@1.1.3","@tryghost/members-api@0.5.1","@tryghost/magic-link@0.1.1","@tryghost/members-ssr@0.3.1","@tryghost/members-api@0.5.0","@tryghost/members-auth-pages@1.1.2","@tryghost/members-api@0.4.1","@tryghost/members-theme-bindings@0.2.4","@tryghost/members-ssr@0.3.0","@tryghost/members-gateway-protocol@0.1.3","@tryghost/members-gateway-api@0.1.5","@tryghost/members-browser-auth@0.2.1","@tryghost/members-auth-pages@1.1.1","@tryghost/members-api@0.4.0","@tryghost/magic-link@0.1.0","@tryghost/members-api@0.3.0","@tryghost/members-ssr@0.2.1","@tryghost/members-ssr@0.2.0","@tryghost/members-theme-bindings@0.2.3","@tryghost/members-browser-auth@0.2.0","@tryghost/members-auth-pages@1.1.0","@tryghost/members-auth-pages@1.0.0","@tryghost/members-theme-bindings@0.2.2","@tryghost/members-gateway-api@0.1.4","@tryghost/members-browser-auth@0.1.3","@tryghost/members-api@0.2.0","@tryghost/members-theme-bindings@0.2.1","@tryghost/members-theme-bindings@0.2.0","@tryghost/members-gateway-protocol@0.1.2","@tryghost/members-gateway-api@0.1.3","@tryghost/members-browser-auth@0.1.2","@tryghost/members-auth-pages@0.2.2","@tryghost/members-api@0.1.2","@tryghost/members-auth-pages@0.2.1","@tryghost/members-auth-pages@0.2.0","@tryghost/members-auth-pages@0.1.2","@tryghost/members-api@0.1.1","@tryghost/members-ssr@0.1.5","@tryghost/members-theme-bindings@0.1.0","@tryghost/members-ssr@0.1.4","@tryghost/members-gateway-protocol@0.1.1","@tryghost/members-gateway-api@0.1.2","@tryghost/members-browser-auth@0.1.1","@tryghost/members-gateway-api@0.1.1","@tryghost/members-browser-auth@0.1.0","@tryghost/members-gateway-api@0.1.0","@tryghost/members-ssr@0.1.3","@tryghost/members-gateway-protocol@0.1.0","@tryghost/members-ssr@0.1.1","@tryghost/members-ssr@0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53950.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}