Threat Intelligence / CVE / CVE-2026-26980

CVE-2026-26980

CVSS 9.4 (CRITICAL) · EPSS 56.7% · Published 2026-02-20

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Weaknesses (CWE)

CWE-89

Threats tracking this CVE

Ghost CMS Content API SQL Injection CVE-2026-26980 — Large-Scale ClickFix Watering-Hole Campaign Compromising 700+ Domains (XLab) — CRITICAL

References

https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97
https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91
https://github.com/TryGhost/Ghost/releases/tag/v6.19.1

Full detection coverage & IOCs for threats exploiting CVE-2026-26980 are available via the Threadlinqs MCP server (Purple tier). View plans →

Markdown version · Threadlinqs Intelligence