Critical SQL Injection Vulnerability in Ghost CMS Exploited

Critical SQL Injection Vulnerability in Ghost CMS Exploited

First seen 24 May 2026, 15:03 UTC nvd.nist.govwww.sentinelone.com 79% similarity 72.0

Article Content

Browse articles
ThreatCluster

CVE-2026-26980 is a SQL Injection vulnerability affecting Ghost, a Node.js content management system, allowing unauthenticated attackers to perform arbitrary database reads. The flaw exists in the Content API's slug filter ordering functionality, impacting versions 3.24.0 through 6.19.0. Attackers can exploit this vulnerability without authentication, potentially compromising sensitive user data, including credentials and API keys. The vulnerability was published on February 20, 2026, with a proof of concept released on March 30, 2026. Ghost has released a patch in version 6.19.1, which implements parameterized queries to mitigate the risk. Security professionals are advised to update to the latest version immediately to prevent exploitation. The vulnerability is particularly dangerous due to its ease of exploitation over the network.

Key Points: • CVE-2026-26980 allows unauthenticated SQL injection in Ghost CMS versions 3.24.0 to 6.19.0. • Attackers can extract sensitive information from the database without authentication. • Ghost released a patch in version 6.19.1 to address this critical vulnerability.

ThreatCluster AI

Timeline

2026-02-20
CVE-2026-26980 published
CVE-2026-26980 was officially published, detailing a SQL Injection vulnerability in Ghost CMS.
NVD
2026-03-30
First public PoC released
A proof of concept for exploiting CVE-2026-26980 was made public, demonstrating the attack vector.
SentinelOne
2026-05-24
Patch released for Ghost CMS
Ghost released version 6.19.1, which addresses the SQL Injection vulnerability by implementing parameterized queries.
SentinelOne

Community

Browse all →