Cyber Posture

CVE-2026-26980

Critical

Published: 20 February 2026

Published
20 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.5431 98.1th percentile
Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26980 is a critical-severity SQL Injection (CWE-89) vulnerability in Ghost Ghost. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring timely identification, reporting, and patching of the SQL injection flaw in Ghost versions 3.24.0 through 6.19.0.

SI-10 Information Input Validation good match
prevent

Prevents exploitation of the SQL injection vulnerability by enforcing validation of all user inputs prior to database query construction.

SI-4 System Monitoring partial match
detect

Enables detection of ongoing exploitation through monitoring of anomalous database queries or unauthorized data access patterns.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

CVE enables unauthenticated exploitation of a public-facing web application (Ghost CMS) via SQL injection (T1190), facilitating arbitrary database reads for data collection (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

Deeper analysisAI

CVE-2026-26980 is a high-severity vulnerability (CVSS 9.4, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) classified under CWE-89 (SQL Injection) affecting Ghost, a Node.js content management system. Versions from 3.24.0 through 6.19.0 are vulnerable to unauthenticated arbitrary database reads, enabling attackers to extract sensitive data stored in the backend database without authentication.

Unauthenticated remote attackers with network access to a vulnerable Ghost instance can exploit this flaw with low complexity and no user interaction required. Successful exploitation allows arbitrary reads from the database, potentially exposing confidential information such as user data, posts, or other stored records, alongside high integrity and low availability impacts as indicated by the CVSS vector.

The Ghost security advisory (GHSA-w52v-v783-gw97) and release notes confirm the issue was addressed in version 6.19.1 via a specific commit (30868d632b2252b638bc8a4c8ebf73964592ed91). Security practitioners should prioritize upgrading affected installations to 6.19.1 or later to mitigate the vulnerability.

Details

CWE(s)
CWE-89

Affected Products

ghost
ghost
3.24.0 — 6.19.1

CVEs Like This One

CVE-2026-22596Same product: Ghost Ghost
CVE-2026-22594Same product: Ghost Ghost
CVE-2026-22595Same product: Ghost Ghost
CVE-2026-29053Same product: Ghost Ghost
CVE-2026-29784Same product: Ghost Ghost
CVE-2026-24778Same product: Ghost Ghost
CVE-2025-40639Shared CWE-89
CVE-2019-25674Shared CWE-89
CVE-2019-25526Shared CWE-89
CVE-2019-25524Shared CWE-89

References