Description
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
Published: 2026-02-20
Score: 9.4 Critical
EPSS: 56.7% High
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Ghost’s Content API allows an attacker to inject arbitrary SQL that reads sensitive data from the database. The vulnerability is formalized as CWE‑89 and carries a CVSS score of 9.4, emphasizing a severe impact on database confidentiality.

Affected Systems

Versions 3.24.0 through 6.19.0 of the Ghost Node.js content‑management system are vulnerable. The fix is provided in version 6.19.1 and later; any installation that has not applied this patch remains at risk.

Risk and Exploitability

The EPSS score of 57% indicates a substantial likelihood that attackers will target this weakness. The CVSS score of 9.4 highlights a severe impact on confidentiality, making any successful exploitation highly damaging. Based on the description, the likely attack path involves sending unauthenticated HTTP requests to the exposed Content API endpoint, which is inferred from the available data. Successful exploitation would permit an eavesdropper to retrieve arbitrary database content, exposing user accounts, posts, and configuration information. The vulnerability is not listed in the CISA KEV catalog, so it is not confirmed for exploitation in active campaigns, but the combined severity and exploit potential warrant prompt remediation.

Generated by OpenCVE AI on May 27, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghost to version 6.19.1 or later to eliminate the vulnerability.
  • If an immediate upgrade is not possible, restrict access to the Content API by implementing firewall rules or IP whitelisting to block unauthenticated traffic from external sources.
  • Continuously monitor access logs for anomalous API calls that return database content to unauthorized clients.

Generated by OpenCVE AI on May 27, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w52v-v783-gw97 Ghost has a SQL injection in Content API
History

Tue, 26 May 2026 15:15:00 +0000

Type Values Removed Values Added
References

Fri, 20 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ghost
Ghost ghost
Vendors & Products Ghost
Ghost ghost

Fri, 20 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
Title Ghost has a SQL Injection in its Content API
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Ghost Ghost
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T13:35:27.068Z

Reserved: 2026-02-17T01:41:24.605Z

Link: CVE-2026-26980

cve-icon Vulnrichment

Updated: 2026-02-20T15:30:21.452Z

cve-icon NVD

Status : Modified

Published: 2026-02-20T02:16:54.213

Modified: 2026-05-26T15:16:24.310

Link: CVE-2026-26980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T16:00:08Z

Weaknesses