CVE-2026-59817 is a vulnerability in Ghost's public donation checkout flow. An unauthenticated attacker could control donation checkout metadata and obtain full paid gift memberships for a minimal payment. This issue was fixed in version 6.44.0. Sites using Ghost versions before 6.44.0 should prioritize patching to prevent potential unauthorized access to paid gift memberships. The vulnerability has a CVS [truncated]
Ghost CMS versions 3.24.0 through 6.19.0 contain a critical unauthenticated SQL injection vulnerability allowing arbitrary database reads. The flaw enables remote attackers to extract sensitive data without authentication. Ghost Foundation patched this in version 6.19.1 released February 2026. Organizations should upgrade immediately and audit database access logs for anomalous queries.