### Impact
A [vulnerability](https://www.cve.org/CVERecord?id=CVE-2022-24785) in an upstream library means an authenticated attacker can abuse locale input to execute arbitrary commands from a file that has previously been uploaded using the file upload functionality in the post editor.
### Patches
Fixed in 5.2.3, all 5.x sites should update as soon as possible.
Fixed in 4.48.2, all 4.x sites should update as soon as possible.
### Workarounds
Patched versions of Ghost add validation to the locale input to prevent execution of arbitrary files. Updating Ghost is the quickest complete solution.
As a workaround, if for any reason you cannot update your Ghost instance, you can block the `POST /ghost/api/admin/settings/` endpoint, which will also disable updating settings for your site.
### For more information
If you have any questions or comments about this advisory:
* Email us at [security@ghost.org](mailto:security@ghost.org)
### Credits
* devx00 – https://twitter.com/devx00Read More