CVE-2026-26980

CRITICALNVD 9.49.4Elevated

9.4

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

CVSS v3: 9.4
EG Score: 9.4(low)
EPSS: 98.2%
KEV: Not listed

Published

February 20, 2026

Last Modified

May 26, 2026

Advisory Details (3)

Auto-updated May 28, 2026

Patch available. Sources: github_commit, github_release, github.

github Patch Available

SQL injection in Content API · Advisory · TryGhost/Ghost · GitHub

https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97

github_release Patch Available

6.19.1

Patch available: TryGhost/Ghost v6.19.1

https://github.com/TryGhost/Ghost/releases/tag/v6.19.1

github_commit Patch Available

commit 30868d632b22 (TryGhost/Ghost)

Patch available: TryGhost/Ghost v6.19.2 (contains commit 30868d632b22)

https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91

Affected Packages

(1 across 1 ecosystem)

npm(1)

Package	Vulnerable range	Fixed in	Dependents
ghost	—	6.19.1	—

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

CWE-89SQL Injection

Data Freshness Timeline

(refreshed 13× in last 7d / 13× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-05-31 22:30 UTCepss_batch
2026-05-31 22:30 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-29 13:44 UTCepss_batch
2026-05-29 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-26 14:31 UTCEG score recompute

Publicly available exploits

(3 references)

Working exploit code is in the public domain (1 GitHub PoC) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.

GitHub PoCEQSTLab/CVE-2026-26980
First seen May 27, 2026
Ghost Content API SQL Injection
Open source ↗
Exploit-DBEDB-52555
First seen May 7, 2026
Ghost CMS 6.19.0 - SQLi
Open source ↗
Nucleihttp/cves/2026/CVE-2026-26980.yaml
First seen Jan 1, 2026
Ghost CMS Content API - SQL Injection
Open source ↗

Frequently asked(5)

What is CVE-2026-26980?

CVE-2026-26980 is a critical vulnerability published on February 20, 2026. Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

When was CVE-2026-26980 disclosed?

CVE-2026-26980 was first published in the National Vulnerability Database on February 20, 2026, with the most recent update on May 26, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2026-26980 actively exploited?

CVE-2026-26980 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 98.2% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2026-26980?

CVE-2026-26980 has a CVSS v3 base score of 9.4 (NVD). The EG score is currently aggregating — additional source signals are being incorporated as they become available..

How do I remediate CVE-2026-26980?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-26980, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-26980

Explore →

Is Your Infrastructure Affected by CVE-2026-26980?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2026-26980

📅 Published

🔄 Last Modified

📋 Advisory Details (3)