Critical severity9.4NVD Advisory· Published Feb 20, 2026· Updated May 26, 2026
CVE-2026-26980
CVE-2026-26980
Description
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ghostnpm | >= 3.24.0, < 6.19.1 | 6.19.1 |
Affected products
3- osv-coords2 versions
>= 3.24.0, < 6.19.1+ 1 more
- (no CPE)range: >= 3.24.0, < 6.19.1
- (no CPE)range: >= 3.24.0, < 6.19.1
Patches
Vulnerability mechanics
References
7- github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91nvdPatchWEB
- github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97nvdMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-w52v-v783-gw97ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26980ghsaADVISORY
- blog.xlab.qianxin.com/ghost-cms-page-poisoning-cve-2026-26980ghsaWEB
- github.com/TryGhost/Ghost/releases/tag/v6.19.1nvdProductRelease NotesWEB
- blog.xlab.qianxin.com/ghost-cms-page-poisoning-cve-2026-26980/nvd
News mentions
5- 1st June – Threat Intelligence ReportCheck Point Research · Jun 1, 2026
- Hackers Exploit Ghost CMS CVE-2026-26980 to Poison 700 Websites With ClickFix MalwareCyber Security News · May 26, 2026
- Ghost CMS Vulnerability Exploited to Hack Over 700 WebsitesSecurityWeek · May 25, 2026
- Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix AttacksThe Hacker News · May 25, 2026
- Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaignBleepingComputer · May 24, 2026