CVE DATABASE / CVE-2026-26980
CVE-2026-26980
CVSS 9.4 · CRITICAL
Summary
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
CVSS 3.1 breakdown
| Base score | 9.4 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | LOW |
Weakness type (CWE)
Affected products
Ghost ghost
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
Our coverage
References
- https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91
- https://github.com/TryGhost/Ghost/releases/tag/v6.19.1
- https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97
- https://blog.xlab.qianxin.com/ghost-cms-page-poisoning-cve-2026-26980/
Data: NIST NVD. NVD last modified 2026-05-26. Always verify against the vendor advisory before acting.