CVE-2026-26980

Published: Feb 20, 2026Modified: May 26, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

Affected (1)

Products: Ghost: Ghost

Ghost

1 product

Ghost

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ghost Ghost	From 3.24.0 to 6.19.1

Related CWEs

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (4)

https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91

Source: security-advisories@github.com

Patch

https://github.com/TryGhost/Ghost/releases/tag/v6.19.1

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97

Source: security-advisories@github.com

MitigationVendor Advisory

https://blog.xlab.qianxin.com/ghost-cms-page-poisoning-cve-2026-26980/

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.