Cyber Resilience

CVE-2026-26980

CriticalHigh EPSS

Published: 20 February 2026

Published
20 February 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.7000 99.3th percentile
Risk Priority 80 floored blend · peak EPSS

Summary

CVE-2026-26980 is a critical-severity SQL Injection (CWE-89) vulnerability in Ghost Ghost. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Ghost is a Node.js content management system affected by CVE-2026-26980, which permits unauthenticated arbitrary reads from the database in versions 3.24.0 through 6.19.0. The flaw is tracked under CWE-89 and carries a CVSS 3.1 score of 9.4, reflecting network-accessible attack vectors with no required authentication or user interaction and high impact on confidentiality and integrity.

Unauthenticated remote attackers can exploit the vulnerability to retrieve arbitrary database contents, enabling broad data exposure and potential follow-on manipulation within the affected Ghost installations.

The issue was addressed in Ghost version 6.19.1, as noted in the project's GitHub security advisory GHSA-w52v-v783-gw97, the corresponding release tag, and the commit 30868d632b2252b638bc8a4c8ebf73964592ed91 that resolved the underlying query-handling defect. Administrators should upgrade to the patched release to eliminate the exposure.

The associated EPSS score reached a peak of 0.6349 with a current value of 0.5666, indicating sustained exploitation interest following disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

CVE enables unauthenticated exploitation of a public-facing web application (Ghost CMS) via SQL injection (T1190), facilitating arbitrary database reads for data collection (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2023-45996Shared CWE-89
CVE-2023-5023Shared CWE-89
CVE-2023-46006Shared CWE-89
CVE-2023-5261Shared CWE-89
CVE-2023-5580Shared CWE-89
CVE-2023-5423Shared CWE-89
CVE-2023-5053Shared CWE-89
CVE-2023-5836Shared CWE-89
CVE-2023-5794Shared CWE-89
CVE-2023-5322Shared CWE-89

Affected Assets

ghost
ghost
3.24.0 — 6.19.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on database queries, blocking the unauthenticated arbitrary reads that define this CVE.

prevent

Requires validation and sanitization of all inputs to database queries, eliminating the CWE-89 injection flaw exploited by the vulnerability.

prevent

Mandates identification and authentication of all users before any database access is granted, closing the unauthenticated attack vector.

References