CVE-2026-26980 TryGhost CVE debrief

Who should care

Organizations running Ghost CMS versions 3.24.0 through 6.19.0; content publishers, media organizations, and blogging platforms using self-hosted Ghost installations; security teams responsible for CMS infrastructure; database administrators managing Ghost backend data stores

Technical summary

Ghost CMS, a Node.js-based publishing platform, contains an unauthenticated SQL injection vulnerability in versions 3.24.0 through 6.19.0. The flaw allows remote attackers to execute arbitrary read queries against the backend database without authentication credentials. The vulnerability stems from improper input sanitization in database query construction. Successful exploitation enables extraction of sensitive content, user data, and configuration information. Ghost Foundation addressed this in version 6.19.1. The issue is classified under CWE-89 (SQL Injection) with a CVSS 3.1 score of 9.4 (Critical).

Defensive priority

critical

Recommended defensive actions

• Upgrade Ghost CMS to version 6.19.1 or later immediately
• Review database query logs for unauthorized SELECT statements or unusual table access patterns
• Audit user and session tables for potential data exfiltration
• Implement Web Application Firewall rules to detect and block SQL injection payloads
• Restrict database network access to application servers only
• Enable comprehensive query logging if not already active for forensic analysis

Evidence notes

NVD CPE confirms affected versions 3.24.0 through 6.19.0. GitHub Security Advisory GHSA-w52v-v783-gw97 provides vendor acknowledgment. Commit 30868d632b2252b638bc8a4c8ebf73964592ed91 contains the security fix. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L supports critical severity rating.

Official resources