Critical severityNVD Advisory· Published Feb 20, 2026· Updated Feb 20, 2026

Ghost has a SQL Injection in its Content API

CVE-2026-26980

Description

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ghostnpm	>= 3.24.0, < 6.19.1	6.19.1

Affected products

Tryghost/Ghostv5
Range: >= 3.24.0, < 6.19.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-w52v-v783-gw97ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-26980ghsaADVISORY
github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91ghsax_refsource_MISCWEB
github.com/TryGhost/Ghost/releases/tag/v6.19.1ghsax_refsource_MISCWEB
github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.043
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000