CRITICAL
TryGhost
CVE published 2026-02-20
CVE-2026-26980
Ghost CMS versions 3.24.0 through 6.19.0 contain a critical unauthenticated SQL injection vulnerability allowing arbitrary database reads. The flaw enables remote attackers to extract sensitive data without authentication. Ghost Foundation patched this in version 6.19.1 released February 2026. Organizations should upgrade immediately and audit database access logs for anomalous queries.