Ghost has a SQL Injection in its Content API

9.4 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Description

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

AI Analysis

SQL Injection vulnerability in Ghost Content API allowing unauthenticated arbitrary database reads

Basic Information

ID CVE-2026-26980

Source GitHub_M

Published Feb 20, 2026 at 01:00

Affected Product

Vendor TryGhost

Product Ghost

Version >= 3.24.0, < 6.19.1

Affected Versions TryGhost Ghost >= 3.24.0, < 6.19.1

CWE Classification

CWE-89

AI Assessment

AI Score 9.4 / 10

AI Severity Critical

Vendor TryGhost

Product Ghost

Version 3.24.0 to 6.19.0

References

{
    "lastseen": "",
    "description": "Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.",
    "published": "2026-02-20T01:00:51.633Z",
    "modified": "2026-02-20T01:00:51.633Z",
    "type": "cve",
    "title": "Ghost has a SQL Injection in its Content API",
    "source": "GitHub_M",
    "references": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97\nhttps://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91\nhttps://github.com/TryGhost/Ghost/releases/tag/v6.19.1",
    "id": "CVE-2026-26980",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "TryGhost Ghost >= 3.24.0, < 6.19.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Ghost",
    "version": ">= 3.24.0, < 6.19.1",
    "vendor": "TryGhost",
    "ai_description": "SQL Injection vulnerability in Ghost Content API allowing unauthenticated arbitrary database reads",
    "ai_severity": "Critical",
    "ai_vendor": "TryGhost",
    "ai_product": "Ghost",
    "ai_version": "3.24.0 to 6.19.0",
    "ai_score": 9.4
}

Ghost has a SQL Injection in its Content API_CVE-2026-26980