# CVE-2026-26980

> Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

- **CVSS:** 9.4 (CRITICAL)
- **EPSS:** 56.7%
- **CWE:** CWE-89

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-26980
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp