CVE-2026-26980
Ghost has a SQL Injection in its Content API
Description
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
INFO
Published Date :
Feb. 20, 2026, 2:16 a.m.
Last Modified :
May 26, 2026, 3:16 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Update Ghost CMS to version 6.19.1.
- Apply any available security patches for your Ghost installation.
Public PoC/Exploit Available at Github
CVE-2026-26980 has a 9 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-26980.
| URL | Resource |
|---|---|
| https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91 | Patch |
| https://github.com/TryGhost/Ghost/releases/tag/v6.19.1 | Product Release Notes |
| https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97 | Mitigation Vendor Advisory |
| https://blog.xlab.qianxin.com/ghost-cms-page-poisoning-cve-2026-26980/ |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-26980 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-26980
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Python
Outdated Ghost CMS websites that have fallen become compromised from CVE-2026-26980 can suffer from spam code injection to pages. Use this to mass clear and edit code injection fields.
Python
None
CVE-2026-26980 — Ghost CMS Content API SQL Injection Lab (unauthenticated blind SQLi via slug filter ordering)
Python Shell
Tracking Vulnerabilities That Appear to be Credited to the Anthropic Research Team
💣 Exploit for CVE-2026-26980 — 👻 Ghost CMS Unauthenticated SQLi via Content API
Python
this is my self hosted blog site with Ghost
Dockerfile HCL Shell Python
# مستودع asrar-mared هذا هو المستودع الرئيسي لمجموعة **المارد الرقمي**، نقطة التحكم المركزية التي تجمع كل المشاريع والميول التقنية تحت راية واحدة. يمثل الأساس الذي تُبنى عليه الفروع الأخرى، ويُدار منه كل شيء من تنظيم الكود إلى إدارة المجتمع. للاطلاع على المستودع: [asrar-mared](https://github.com/asrar-mared)
HTML CSS
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-26980 vulnerability anywhere in the article.
-
The Cyber Express
Indonesian Media Outlet Tempo Targeted by 24.9 Million DDoS Requests
A major wave of cyberattacks on Tempo has disrupted access to one of Indonesia’s leading news websites, with the media outlet reporting millions of malicious requests directed at its servers over seve ... Read more
-
The Cyber Express
CERT-In Urges Firms to Patch Critical Vulnerabilities Within 12 Hours Amid AI Threat Surge
India’s Computer Emergency Response Team, Indian Computer Emergency Response Team, has introduced a new cybersecurity framework urging organizations to patch critical security vulnerabilities in inter ... Read more
-
CybersecurityNews
Microsoft SharePoint Server Vulnerability Enables Remote Code Execution Attacks
Microsoft has disclosed a critical security vulnerability in SharePoint Server that could allow authenticated attackers to execute arbitrary code remotely across multiple versions of the platform. Tra ... Read more
-
CybersecurityNews
Hackers Exploit Ghost CMS CVE-2026-26980 to Poison 700 Websites With ClickFix Malware
A critical SQL injection flaw in Ghost CMS has been weaponized by at least two threat actor groups to silently poison over 700 websites with ClickFix malware, putting unsuspecting visitors at serious ... Read more
-
The Cyber Express
Critical Ghost CMS Vulnerability Exploited to Hack 700+ Websites
A critical Ghost CMS vulnerability identified as CVE-2026-26980 has been exploited in a widespread cyber campaign that compromised more than 700 websites, including platforms associated with major ins ... Read more
-
security.nl
700 websites gehackt via Ghost CMS-lek en voorzien van ClickFix-code
Aanvallers hebben meer dan zevenhonderd websites die draaien op het Ghost contentmanagementsysteem (CMS) via een kritieke kwetsbaarheid gehackt en voorzien van ClickFix-code. De toegevoegde code laat ... Read more
-
The Hacker News
Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks. According to QiAnXin XLab, the activity ... Read more
The following table lists the changes that have been made to the
CVE-2026-26980 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
May. 26, 2026
Action Type Old Value New Value Added Reference https://blog.xlab.qianxin.com/ghost-cms-page-poisoning-cve-2026-26980/ -
Initial Analysis by [email protected]
Feb. 20, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Added CPE Configuration OR *cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:* versions from (including) 3.24.0 up to (excluding) 6.19.1 Added Reference Type GitHub, Inc.: https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91 Types: Patch Added Reference Type GitHub, Inc.: https://github.com/TryGhost/Ghost/releases/tag/v6.19.1 Types: Product, Release Notes Added Reference Type GitHub, Inc.: https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97 Types: Mitigation, Vendor Advisory -
New CVE Received by [email protected]
Feb. 20, 2026
Action Type Old Value New Value Added Description Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L Added CWE CWE-89 Added Reference https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91 Added Reference https://github.com/TryGhost/Ghost/releases/tag/v6.19.1 Added Reference https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97