Add Ghost CMS Authenticated RCE Exploit (CVE-2026-29053)#21234
Conversation
|
Are all of these files required to get the exploit working? There are a LOT of files for the theme, the yarn.lock file itself is 3,500 lines of code. If they are all required id suggest zipping them all together since you likely do that in the code anyways. Then if you need to adjust anything in the zip, just do it in memory. However, we'd want a minimalistic theme for exploiting, so really look at what's required and what's not. |
@h00die Sorry, I didn't notice count of lines earlier before committing. Anyway i wanted to give the end user more flexibility if they want to add new files. It’s more convenient to add them to a folder rather than pack/unpack an archive every time. |
|
It is minor, but I think historically, we place compiled code in |
There was a problem hiding this comment.
Pull request overview
Adds a new Metasploit exploit module for Ghost CMS (CVE-2026-29053) that achieves RCE via malicious theme upload/injection, along with supporting documentation and a reproducible lab setup.
Changes:
- Introduces
multi/http/ghostcms_cve_2026_29053exploit module with session/JWT auth flows and theme infection/trigger logic. - Adds module documentation plus a local Docker lab environment for testing.
- Adds a bundled Ghost theme template under
data/exploits/and introduces ajwtruntime dependency.
Reviewed changes
Copilot reviewed 27 out of 27 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
| modules/exploits/multi/http/ghostcms_cve_2026_29053.rb | New exploit module implementing auth, theme download/upload, payload injection, and triggering. |
| metasploit-framework.gemspec | Adds jwt as a runtime dependency. |
| documentation/modules/exploit/multi/http/ghostcms_cve_2026_29053.md | New user documentation: setup, auth modes, and example runs. |
| data/exploits/CVE-2026-29053/theme/default.hbs | Base layout for the bundled theme used by the module. |
| data/exploits/CVE-2026-29053/theme/index.hbs | Theme index template used by the bundled theme. |
| data/exploits/CVE-2026-29053/theme/post.hbs | Theme post template for bundled theme completeness/validity. |
| data/exploits/CVE-2026-29053/theme/page.hbs | Theme page template for bundled theme completeness/validity. |
| data/exploits/CVE-2026-29053/theme/tag.hbs | Theme tag template for bundled theme completeness/validity. |
| data/exploits/CVE-2026-29053/theme/author.hbs | Theme author template for bundled theme completeness/validity. |
| data/exploits/CVE-2026-29053/theme/error.hbs | Theme error template for bundled theme completeness/validity. |
| data/exploits/CVE-2026-29053/theme/partials/card.hbs | Theme partial used by templates (post cards). |
| data/exploits/CVE-2026-29053/theme/partials/icons/avatar.hbs | SVG icon partial for bundled theme. |
| data/exploits/CVE-2026-29053/theme/partials/icons/arrow-left.hbs | SVG icon partial for bundled theme. |
| data/exploits/CVE-2026-29053/theme/partials/icons/arrow-right.hbs | SVG icon partial for bundled theme. |
| data/exploits/CVE-2026-29053/theme/partials/icons/facebook.hbs | SVG icon partial for bundled theme. |
| data/exploits/CVE-2026-29053/theme/partials/icons/twitter.hbs | SVG icon partial for bundled theme. |
| data/exploits/CVE-2026-29053/theme/partials/icons/rss.hbs | SVG icon partial for bundled theme. |
| data/exploits/CVE-2026-29053/theme/partials/icons/loader.hbs | SVG loader partial for bundled theme. |
| data/exploits/CVE-2026-29053/theme/members/account.hbs | Members template included in bundled theme. |
| data/exploits/CVE-2026-29053/theme/members/signin.hbs | Members template included in bundled theme. |
| data/exploits/CVE-2026-29053/theme/members/signup.hbs | Members template included in bundled theme. |
| data/exploits/CVE-2026-29053/theme/assets/built/index.js | Bundled theme JS asset used when uploading the local theme. |
| data/exploits/CVE-2026-29053/theme/assets/built/index.css | Bundled theme CSS asset used when uploading the local theme. |
| data/exploits/CVE-2026-29053/theme/README.md | Upstream theme README included with bundled theme. |
| data/exploits/CVE-2026-29053/theme/LICENSE | Upstream theme license included with bundled theme. |
| data/exploits/CVE-2026-29053/lab/docker-compose.yml | Docker lab environment for local testing (Ghost + DB). |
| data/exploits/CVE-2026-29053/lab/config.production.json | Lab Ghost configuration (incl. mail/security/spam settings). |
| spec.add_runtime_dependency 'net-sftp' | ||
| spec.add_runtime_dependency 'winrm' | ||
| spec.add_runtime_dependency 'ffi', '< 1.17.0' | ||
| spec.add_runtime_dependency 'jwt' # Needed by modules/exploits/multi/http/ghostcms_cve_2026_29053 module |
That's one perspective. Another is now every user that downloads Metasploit is storing all of these additional files. We need the files that are not necessary striped away. I'd suggest you document how to build the template for users. You could even include a script to setup a basic template but we need the files stripped down to the bare minimum for exploitation. |
I absolutely agree with you and I've done it immediately in 6a7fe55 after that message. Now it's about 1550 lines (with documentation and the exploit) instead of 14.5k in the beginning. I think now there is nothing redundant to delete in the theme, because otherwise a site will be broken. Although the exploit will work with only one file, other pages won't be loaded appropriately. It's important because in the flow with API token we can't revert our uploaded theme to default. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
Vulnerability Details
This module exploits a Remote Code Execution (RCE) vulnerability in Ghost CMS.
Specifically crafted malicious themes can execute arbitrary code on the server running Ghost.
Module Information
Module path:
modules/exploits/multi/http/ghostcms_cve_2026_29053.rbPlatform: Linux/Unix/Windows
References
Test Output
Linux
Windows