CVE-2026-26980
Published: 20 February 2026
Summary
CVE-2026-26980 is a critical-severity SQL Injection (CWE-89) vulnerability in Ghost Ghost. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Ghost is a Node.js content management system affected by CVE-2026-26980, which permits unauthenticated arbitrary reads from the database in versions 3.24.0 through 6.19.0. The flaw is tracked under CWE-89 and carries a CVSS 3.1 score of 9.4, reflecting network-accessible attack vectors with no required authentication or user interaction and high impact on confidentiality and integrity.
Unauthenticated remote attackers can exploit the vulnerability to retrieve arbitrary database contents, enabling broad data exposure and potential follow-on manipulation within the affected Ghost installations.
The issue was addressed in Ghost version 6.19.1, as noted in the project's GitHub security advisory GHSA-w52v-v783-gw97, the corresponding release tag, and the commit 30868d632b2252b638bc8a4c8ebf73964592ed91 that resolved the underlying query-handling defect. Administrators should upgrade to the patched release to eliminate the exposure.
The associated EPSS score reached a peak of 0.6349 with a current value of 0.5666, indicating sustained exploitation interest following disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8400
Vulnerability details
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated exploitation of a public-facing web application (Ghost CMS) via SQL injection (T1190), facilitating arbitrary database reads for data collection (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on database queries, blocking the unauthenticated arbitrary reads that define this CVE.
Requires validation and sanitization of all inputs to database queries, eliminating the CWE-89 injection flaw exploited by the vulnerability.
Mandates identification and authentication of all users before any database access is granted, closing the unauthenticated attack vector.