CVE-2026-26980

Ghost has a SQL Injection in its Content API

CVSS 9.4 CRITICALEPSS 70.0%CWE-89

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Affected products

TryGhost · Ghost

public PoCs found — 3

githubgithub.com/EQSTLab/CVE-2026-26980★ 3 githubgithub.com/Kulik-Labs-Development/Ghost-CMS-Code-Injection-Audit-CVE-2026-26980★ 0 exploitdbwww.exploit-db.com/exploits/52555unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://blog.xlab.qianxin.com/ghost-cms-page-poisoning-cve-2026-26980/https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91 https://github.com/TryGhost/Ghost/releases/tag/v6.19.1 https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97