CVE-2026-22596 - Vulnerability Details

- Ghost has SQL Injection in Members Activity Feed

Description

Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0.

Published: 2026-01-10

Score: 6.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Ghost, a Node.js content management system, contains a SQL injection flaw in the /ghost/api/admin/members/events endpoint. The flaw enables users who possess valid Admin API credentials to inject and execute arbitrary SQL statements. Attackers could use this capability to read, modify, or delete database records, potentially extracting sensitive user information or escalating privileges within the system.

Affected Systems

The affected products are Ghost versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3. These include all releases of Ghost v5.x and v6.x up to the listed boundaries. Patches were released in Ghost 5.130.6 and 6.11.0, eliminating the vulnerability. Systems running any of the vulnerable versions and exposing the Admin API should therefore be updated promptly.

Risk and Exploitability

The CVSS base score of 6.7 indicates moderate severity, and the EPSS score of less than 1% shows a very low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to authenticate against the Admin API; therefore, exposure is limited to actors who can obtain API credentials or have privileged access. While the risk is mitigated by low exploitation likelihood, any compromised or leaked credentials could allow an attacker to seize control of the database.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TryGhost

Ghost

affected

Version	Status	Constraints
`>= 6.0.0, < 6.11.0`	affected	—
`>= 5.90.0, < 5.130.6`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:ghost:ghost::::::node.js::*
	cpe:2.3:a:ghost:ghost::::::node.js::*

No data.

Vendor	Product	Confidence	Versions
Ghost	Ghost	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Ghost to version 5.130.6 or later for the 5.x series, or to 6.11.0 or later for the 6.x series to remove the vulnerability.
If an update cannot be applied immediately, restrict access to the /ghost/api/admin/members/events endpoint by implementing firewall rules or network segmentation so that only trusted IP addresses can reach the Admin API, and enforce Multi‑Factor Authentication for all Admin API credentials.
Monitor application logs for suspicious SQL statements or failed authentication attempts against the Admin API endpoint, and investigate any anomalies promptly.

Generated by OpenCVE AI on April 18, 2026 at 07:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-gjrp-xgmh-x9qq	Ghost has SQL Injection in Members Activity Feed

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00139.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/TryGhost/Ghost/commit/cda236e455a7a30e828b6cba3c430e5796ded955
https://github.com/TryGhost/Ghost/commit/f2165f968bcdaae0e35590b38fa280ab03239391
https://github.com/TryGhost/Ghost/security/advisories/GHSA-gjrp-xgmh-x9qq

History

Thu, 15 Jan 2026 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:ghost:ghost::::::node.js::*

Mon, 12 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 12 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ghost Ghost ghost
Vendors & Products		Ghost Ghost ghost

Sat, 10 Jan 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description		Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0.
Title		Ghost has SQL Injection in Members Activity Feed
Weaknesses		CWE-89
References		https://github.com/TryGhost/Ghost/commit/cda236e455a7a30e828b6cba3c430e5796ded955 https://github.com/TryGhost/Ghost/commit/f2165f968bcdaae0e35590b38fa280ab03239391 https://github.com/TryGhost/Ghost/security/advisories/GHSA-gjrp-xgmh-x9qq
Metrics		cvssV3_1 `{'score': 6.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L'}`

Subscriptions

Ghost Ghost

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-10T02:57:19.792Z

Updated: 2026-01-12T17:37:41.086Z

Reserved: 2026-01-07T21:50:39.532Z

Link: CVE-2026-22596

Vulnrichment

Updated: 2026-01-12T17:37:36.940Z

NVD

Status : Analyzed

Published: 2026-01-10T03:15:50.703

Modified: 2026-01-15T18:35:34.103

Link: CVE-2026-22596

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object