CVE-2026-26980

Critical

Published: 20 February 2026

Published

20 February 2026

Modified

20 February 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.5431 98.0th percentile

Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Description

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and patching of the SQL injection flaw in Ghost versions 3.24.0 through 6.19.0.

SI-10 Information Input Validation good match

prevent

Prevents exploitation of the SQL injection vulnerability by enforcing validation of all user inputs prior to database query construction.

SI-4 System Monitoring partial match

detect

Enables detection of ongoing exploitation through monitoring of anomalous database queries or unauthorized data access patterns.

Security SummaryAI

CVE-2026-26980 is a high-severity vulnerability (CVSS 9.4, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) classified under CWE-89 (SQL Injection) affecting Ghost, a Node.js content management system. Versions from 3.24.0 through 6.19.0 are vulnerable to unauthenticated arbitrary database reads, enabling attackers to extract sensitive data stored in the backend database without authentication.

Unauthenticated remote attackers with network access to a vulnerable Ghost instance can exploit this flaw with low complexity and no user interaction required. Successful exploitation allows arbitrary reads from the database, potentially exposing confidential information such as user data, posts, or other stored records, alongside high integrity and low availability impacts as indicated by the CVSS vector.

The Ghost security advisory (GHSA-w52v-v783-gw97) and release notes confirm the issue was addressed in version 6.19.1 via a specific commit (30868d632b2252b638bc8a4c8ebf73964592ed91). Security practitioners should prioritize upgrading affected installations to 6.19.1 or later to mitigate the vulnerability.

Details

CWE(s): CWE-89

Affected Products

ghost

3.24.0 — 6.19.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated exploitation of a public-facing web application (Ghost CMS) via SQL injection (T1190), facilitating arbitrary database reads for data collection (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91
Patch · security-advisories@github.com
https://github.com/TryGhost/Ghost/releases/tag/v6.19.1
Product, Release Notes · security-advisories@github.com
https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97
Vendor Advisory, Mitigation · security-advisories@github.com