Description
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
Published: 2026-02-20
Score: 9.4 Critical
EPSS: 32.7% Moderate
KEV: No
Impact: Confidentiality Breach via Unauthenticated SQL Injection
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated attacker can exploit a SQL Injection flaw in Ghost’s Content API to read arbitrary database entries, compromising sensitive site information and user data. The vulnerability is formally classified as CWE‑89 and has a CVSS score of 9.4, indicating a high severity damage potential.

Affected Systems

The flaw exists in Ghost, a Node.js content‑management system, across versions 3.24.0 through 6.19.0 inclusive. This includes all installations that have not applied the recent patch released in version 6.19.1.

Risk and Exploitability

With an EPSS score of 33% and no listing in the CISA KEV catalog, the risk to actively targeted systems remains significant. The likely attack path involves sending unauthenticated HTTP requests to the exposed Content API endpoint, enabling the attacker to execute arbitrary SELECT statements without credentials. Successful exploitation would allow data exfiltration, potentially exposing user accounts, content, and configuration details.

Generated by OpenCVE AI on April 17, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghost to version 6.19.1 or later to eliminate the vulnerability.
  • If an immediate upgrade is not possible, restrict access to the Content API by applying firewall rules or IP whitelisting to block unauthenticated traffic from external sources.
  • Continuously monitor access logs for anomalous API calls and verify that no database content is being returned to unauthorized clients.

Generated by OpenCVE AI on April 17, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w52v-v783-gw97 Ghost has a SQL injection in Content API
History

Fri, 20 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ghost
Ghost ghost
Vendors & Products Ghost
Ghost ghost

Fri, 20 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
Title Ghost has a SQL Injection in its Content API
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Ghost Ghost
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:35:37.895Z

Reserved: 2026-02-17T01:41:24.605Z

Link: CVE-2026-26980

cve-icon Vulnrichment

Updated: 2026-02-20T15:30:21.452Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T02:16:54.213

Modified: 2026-02-20T19:22:53.637

Link: CVE-2026-26980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses