CVE-2026-26980

high

Description

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

References

Exploits
More

https://www.securityweek.com/ghost-cms-vulnerability-exploited-to-hack-over-700-websites/

https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html

https://securityaffairs.com/192655/cyber-crime/ghost-cms-flaw-abused-to-push-clickfix-attacks-on-hundreds-of-sites.html

https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/

https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97

https://github.com/TryGhost/Ghost/releases/tag/v6.19.1

https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91

https://blog.xlab.qianxin.com/ghost-cms-page-poisoning-cve-2026-26980/

Details

Source: Mitre, NVD

Published: 2026-02-20

Updated: 2026-05-26

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N