Description
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
Published: 2026-02-20
Score: 9.4 Critical
EPSS: 70.0% High
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection (CWE-89) in Ghost’s Content API that permits an attacker to read arbitrary data from the database. Because the flaw can be triggered without authentication, it compromises the confidentiality of all content stored in Ghost.

Affected Systems

TryGhost Ghost version 3.24.0 through 6.19.0 is affected. The fix is provided in 6.19.1 and later releases; installations older than 6.19.1 remain vulnerable.

Risk and Exploitability

The CVSS score of 9.4 indicates critical severity, and the EPSS score of 70% indicates a significant probability that attackers will target this vulnerability. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation would let an attacker retrieve any database table content; the attack vector appears to be a simple HTTP request to the exposed Content API, which is inferred from the description that unauthenticated attackers can trigger it via the API, implying a low barrier to exploitation.

Generated by OpenCVE AI on June 24, 2026 at 12:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading Ghost to version 6.19.1 or later.
  • If an immediate upgrade is not possible, limit external access to the Content API by configuring network security controls or requiring authentication to prevent unauthenticated requests.
  • Monitor API traffic and logs for suspicious SQL query patterns or unexpected data responses and investigate any anomalies promptly.

Generated by OpenCVE AI on June 24, 2026 at 12:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w52v-v783-gw97 Ghost has a SQL injection in Content API
History

Tue, 26 May 2026 15:15:00 +0000

Type Values Removed Values Added
References

Fri, 20 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ghost
Ghost ghost
Vendors & Products Ghost
Ghost ghost

Fri, 20 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
Title Ghost has a SQL Injection in its Content API
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Ghost Ghost
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T13:35:27.068Z

Reserved: 2026-02-17T01:41:24.605Z

Link: CVE-2026-26980

cve-icon Vulnrichment

Updated: 2026-02-20T15:30:21.452Z

cve-icon NVD

Status : Modified

Published: 2026-02-20T02:16:54.213

Modified: 2026-06-17T10:26:28.773

Link: CVE-2026-26980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T13:00:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')