Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 contain a vulnerability that allows unauthenticated attackers to perform arbitrary reads from the database. The weakness is categorized as CWE-89, Improper Neutralization of Special Elements used in an SQL Command, commonly associated with SQL injection. The issue is identified as CVE-2026-26980. The vulnerability was published in the CVE dictionary entry on 02/19/2026, with the NVD entry last modified on 05/26/2026. The vulnerability has been fixed in Ghost version 6.19.1.
"Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1."
"Metrics CWE-IDCWE NameSource CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') GitHub, Inc."
"Quick Info CVE Dictionary Entry: CVE-2026-26980 NVD Published Date: 02/19/2026 NVD Last Modified: 05/26/2026 Source: GitHub, Inc."
Read at Nist
Unable to calculate read time
Collection
[
|
...
]