Skip to main content
  1. Active Vulnerability List/
  2. 2026/

CVE-2026-26980 | Ghost CMS | SQL

FieldDetails
VulnerabilityCVE-2026-26980
Affected ProductGhost CMS (Node.js content management system, ghost npm package). Per Ghost’s GitHub Security Advisory GHSA-w52v-v783-gw97 and NVD, affected versions are 3.24.0 through 6.19.0 (inclusive). Fixed in 6.19.1. Ghost(Pro) managed hosting was patched by Ghost Foundation; self-hosted instances require manual upgrade. The vulnerability resides in the Content API, specifically the slug filter ordering functionality; the publicly reachable endpoint identified in third-party PoCs is /ghost/api/content/tags/ with the filter query parameter.
TypeUnauthenticated Blind SQL Injection in Ghost’s Content API. The vendor advisory categorizes the impact as “arbitrary reads from the database” for unauthenticated attackers.
CWECWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’), as assigned by GitHub (CNA) on GHSA-w52v-v783-gw97.
DescriptionPer NVD verbatim: “Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.” Per Ghost’s GitHub Security Advisory: “A SQL injection vulnerability existed in Ghost’s Content API that allowed unauthenticated attackers to read arbitrary data from the database.” The most operationally significant data readable through the bug is the Admin API Key, which the attacker then uses against the Ghost Admin API (PUT /ghost/api/admin/posts/:id/) to modify article content — converting a read-only SQLi into a full content-management compromise. Discovered and responsibly disclosed by Nicholas Carlini using Claude (Anthropic) — an AI-assisted vulnerability discovery credit explicitly named in the vendor advisory.
SeverityCVSS v3.1: 9.4 Critical (CNA: GitHub), vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L as recorded in the GitHub Advisory Database and on NVD’s vendor-contributed metric. CVSS v4.0: NVD assessment not yet provided at time of writing. The vendor CVSS marks Integrity:High because the disclosed Admin API Key downstream enables full article modification — the bug itself reads data, but its operational consequence writes data.
Root CauseImproper neutralization of attacker-controlled input in the Content API’s slug filter ordering mechanism. The vulnerable pattern is reached when the filter query string parameter contains the literal sequence slug:[ (or its URL-encoded form slug%3A%5B), which is the on-wire artifact that the vendor’s own WAF workaround targets. Per the public PoC and the second fix commit, a contributing factor was insecure use of jsonpath, which the fix replaced with a custom path resolver. Fix commits: 30868d6 (main fix — parameterized queries for slug filter ordering) and cf31ddf (replaced jsonpath with custom path resolver).
Attack VectorNetwork (AV:N). The Content API is designed to be internet-reachable — it is the public read API that Ghost themes use to render content. Any Ghost site exposed to the internet is reachable for exploitation.
Privileges RequiredNone (PR:N). The vendor advisory states explicitly: “The Content API key is public by design, so restricting key access does not mitigate this vulnerability.” Although a Content API key is required by the endpoint, that key is embedded in theme HTML and cannot be treated as a secret. Attackers auto-discover it from the target site’s own pages.
User InteractionNone (UI:N). The SQL injection itself fires on the HTTP request; no victim, admin, or end-user action is required for the database read.
ImpactConfidentiality: High / Integrity: High / Availability: Low per the vendor CVSS vector. The bug itself yields unauthenticated arbitrary database reads. Operationally, the most consequential read is the Admin API Key, which Ghost stores in the database and which carries full management privileges over users, articles, themes, and settings. Per Ghost’s API documentation, the Admin API Key enables PUT /ghost/api/admin/posts/:id/ (article modification), user enumeration and management, theme upload, and site configuration changes. The end-state achievable by an attacker exploiting CVE-2026-26980 is full website takeover at the application layer, even though the CVE description says only “read.”
Why the Bug MattersThis bug converts a read-only injection into a publishing-platform takeover because of what Ghost stores in its database. Three operational reasons amplify the severity: (1) Public-by-design exposure — the Content API is supposed to be internet-facing, so there is no perimeter-level mitigation that doesn’t break legitimate functionality; (2) No application-level workaround — per the vendor, the Content API key cannot be restricted because it is embedded in theme HTML by design; (3) Trusted-platform weaponization — compromised Ghost sites become high-credibility distribution channels, allowing follow-on social-engineering attacks (FakeCAPTCHA / ClickFix-style chains) to inherit the host domain’s reputation. Public PoC code is available, lowering the skill bar for exploitation.
Execution Flow1. Attacker discovers a Ghost CMS instance (Shodan, fofa, certificate transparency, or Ghost-built indicators in HTML). 2. Attacker extracts the Content API key from the target site’s HTML (it is embedded in themes for legitimate client-side use). 3. Attacker sends a request to /ghost/api/content/tags/ with a filter parameter containing a slug:[-prefixed SQL injection payload (blind boolean-based via the slug filter ordering function). 4. The Ghost server performs the malicious SQL query against its database (SQLite for small installs, MySQL for production). 5. Attacker iteratively extracts database contents via blind-SQLi techniques — targeting the users table (admin email, password hash) and the api_keys table (Admin API Key). 6. Post-exploitation: Attacker uses the recovered Admin API Key with PUT /ghost/api/admin/posts/:id/ to inject malicious content (typically JavaScript) into article bodies, weaponizing the compromised site for follow-on attacks against its visitors.
Threat Model / Abuse Scenarios- Mass automated poisoning of unpatched Ghost sites — financially motivated criminal clusters have been observed conducting mass scanning, exploitation, and content injection against unpatched Ghost CMS instances at scale
- Trusted-platform malware distribution — compromised legitimate sites (universities, fintech, AI/SaaS, media, blockchain, personal blogs) serve attacker-controlled content with the credibility of the host domain, increasing the success rate of social-engineering payloads such as FakeCAPTCHA / ClickFix lures
- Multi-actor opportunism — multiple unrelated threat clusters have been observed exploiting the same victim sites concurrently, characteristic of post-disclosure dynamics for critical bugs with public PoCs
- Lateral pivot risk — harvested Admin credentials and configuration metadata can be reused against other business systems of the same victim organization
- Long-tail risk — Ghost CMS hosts a large population of small/personal sites without security operations capacity; these sites remain unpatched indefinitely and serve as durable distribution infrastructure for downstream attacks
Detection OpportunitiesSite-side (Ghost operators):
- Inspect article HTML/database content for unauthorized <script> injections (see High-Value Detection Clues for structural patterns)
- Audit Ghost backend logs for abnormal PUT /ghost/api/admin/posts/:id/ requests, especially from unfamiliar IPs, anomalous User-Agents, or bulk-modification patterns in short time windows
- Audit the Code Injection configuration and theme files for unauthorized <script> tags inserted outside the normal change-management process
- Inventory the Admin API Key list for unknown or long-unused keys

Network-side:
- WAF / reverse proxy logging for Content API requests containing slug:[ or slug%3A%5B in the filter parameter — this is the on-wire artifact the vendor’s own workaround targets
- Vendor IPS coverage available: Fortinet Ghost.CMS.slug.filter.SQL.Injection (FortiGuard ID 60606), SonicWall IPS signatures, and detection content from SentinelOne
High-Value Detection Clues- Content API GET requests whose filter parameter contains the substring slug:[ (URL-decoded) or slug%3A%5B (URL-encoded) — this is the exact on-wire artifact targeted by the vendor’s own WAF mitigation rule
- Ghost site running version < 6.19.1 as of February 19, 2026
- PUT /ghost/api/admin/posts/:id/ requests from non-administrative source IPs, or from IPs that have not previously authenticated as an administrator
- Bulk article modification events — many posts updated in a short time window from a single source
- Admin API Key creation events with no corresponding administrator action or change-management ticket
- Injected <script> blocks in published article HTML containing the patterns atob( and appendChild in combination, or btoa(origin) used to fingerprint the host site for a remote command-and-control endpoint — these are structural fingerprints of the two-stage JavaScript loader pattern observed in post-exploitation, independent of any specific campaign
Example Hunt IdeasGhost operators / site owners:
- At the database level, not just the editor UI, search the posts table HTML content for injected <script> tags that match the structural patterns above — the editor may render clean content while the database holds the injection
- In Ghost API access logs, group PUT /ghost/api/admin/posts/ events by source IP and time bucket; a single IP modifying many posts in minutes is unambiguously anomalous
- Audit Admin API Key creation events; flag any Admin API Key whose created_at does not align with a documented administrator action

Network defenders (visitor-protection angle):
- In web proxy / SIEM logs, hunt for end-user workstations issuing outbound requests to suspect content-delivery domains immediately after browsing a known Ghost-hosted page
- In EDR / Sysmon, hunt for the post-ClickFix process pattern: clipboard-pasted cmd.exe invocation followed by tar -xf on a recently downloaded .zip in %TEMP%, followed by start /min of a batch file, followed by powershell.exe with -W 1 / -WindowStyle Hidden, followed by rundll32.exe executing a DLL with the export Begin and hidden window
- Inferred from bug mechanics: alert on PowerShell ScriptBlock Logging (Event ID 4104) events whose command contains Invoke-WebRequest/iwr to non-corporate domains followed by Start-Process rundll32 with -WindowStyle Hidden — this is a high-confidence fingerprint of the ClickFix-style chain that typically follows Ghost-site poisoning
MitigationUpgrade Ghost CMS to version 6.19.1 or later immediately. Per the vendor advisory: “There is no application-level workaround. The Content API key is public by design, so restricting key access does not mitigate this vulnerability.” Temporary mitigation per Ghost Foundation (if patching is delayed): deploy a reverse proxy or WAF rule that blocks Content API requests containing slug:[ or URL-encoded slug%3A%5B in the filter query string parameter — with the caveat that this may break legitimate slug filter functionality. Post-patch credential rotation is mandatory: rotate the Ghost Admin password, the session_secret, every Admin API Key, and every Content API Key. The vulnerability window may have exposed all of these. Content cleanup at the database level (not just via the editor UI) to remove any injected <script> tags. Audit at least 30 days of Admin API call logs for retrospective forensic investigation.
Solution StatusPatched. Ghost Foundation released Ghost 6.19.1 on 2026-02-19, with vendor advisory GHSA-w52v-v783-gw97 published 2026-02-16 and NVD record published 2026-02-20. The same Ghost 6.19.1 release also fixed CVE-2026-29053 (theme-based RCE affecting Ghost 0.7.2 through 6.19.0). CVE-2026-26980 is NOT currently in the CISA KEV catalog as of the time of this writeup (May 25, 2026), despite publicly documented active mass exploitation — defenders should treat KEV listing as a likely-but-not-confirmed forthcoming event and prioritize patching independently of KEV status.
MITRE ATT&CK MappingATT&CK mapping not publicly established by Ghost Foundation or CISA at time of writing. Inferred from bug mechanics and observed post-exploitation behavior:
Initial Access: T1190 Exploitation of Public-Facing Application (SQLi against Content API)
Credential Access: T1552 Unsecured Credentials (Admin API Key retrieval from database)
Impact (site-side): T1565.001 Stored Data Manipulation (poisoning article content via Admin API)

Downstream techniques observed in follow-on social-engineering chains that abuse compromised Ghost sites (these belong to the downstream campaign, not the CVE itself, and are listed here for situational awareness only): T1204.002 User Execution: Malicious File, T1059.001 PowerShell, T1059.003 Windows Command Shell, T1218.011 System Binary Proxy Execution: Rundll32, T1564.003 Hide Artifacts: Hidden Window, T1027 Obfuscated Files or Information, T1071.001 Application Layer Protocol: Web Protocols.
Limitations / Constraints- Read-only at the SQL injection layer. The CVE itself enables reads, not writes. The Admin API Key read enables downstream writes via a different (legitimate, authenticated) Admin API. Defenders chasing pure SQL-INSERT/UPDATE patterns will miss it.
- No application-level workaround. Per the vendor, the Content API key cannot be restricted because it is embedded in theme HTML by design.
- WAF workaround may break legitimate functionality. Sites using legitimate slug filter functionality will see regression.
- Public PoC code exists in multiple GitHub repositories, lowering the skill bar for exploitation.
- Not in CISA KEV at time of writing, despite confirmed mass exploitation — federal patch directives do not currently apply.
- Post-exploitation content injection persists in the database until explicitly cleaned at the database level; remediation that only patches the CVE without rotating credentials and cleaning content will leave compromised sites still serving malicious payloads.
References- https://nvd.nist.gov/vuln/detail/CVE-2026-26980
- https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97
- https://github.com/advisories/GHSA-w52v-v783-gw97
- https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91
- https://github.com/TryGhost/Ghost/releases/tag/v6.19.1
- https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/
- https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/
- https://www.sentinelone.com/vulnerability-database/cve-2026-26980/
- https://www.sonicwall.com/blog/ghost-cms-content-api-blind-sql-injection
- https://www.fortiguard.com/encyclopedia/ips/60606
- https://pentest-tools.com/vulnerabilities-exploits/ghost-cms-content-api-sql-injection_29129
- https://osv.dev/vulnerability/CVE-2026-26980