Unauthenticated Database Read Vulnerability in Ghost CMS
CVE-2026-26980

9.4CRITICAL

Key Information:

Vendor

Tryghost

Status
Ghost
Vendor
CVE Published:
20 February 2026

Badges

πŸ₯‡ Trended No. 1πŸ“ˆ TrendedπŸ“ˆ Score: 7,360πŸ’° RansomwareπŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 69%πŸ“° News Worthy

What is CVE-2026-26980?

CVE-2026-26980 is a serious vulnerability identified in the Ghost CMS, a popular Node.js content management system designed for creating and managing online publications. This vulnerability permits unauthenticated attackers to execute arbitrary read operations on the database, potentially exposing sensitive data stored within. Ghost CMS is widely used by various organizations to manage their content efficiently, making its security essential to protect user data and maintain operational integrity. With versions affected spanning from 3.24.0 to 6.19.0, the risk is significant, as exploitation could lead to unauthorized data exposure, affecting user trust and compliance with data protection regulations. A patch addressing this vulnerability was released in version 6.19.1.

Potential impact of CVE-2026-26980

  1. Data Exposure: Unauthorized attackers may gain access to sensitive databases, potentially disclosing confidential information such as user credentials, personal data, and proprietary content, which can lead to severe privacy violations and loss of user trust.

  2. Reputation Damage: If exploited, organizations may suffer reputational harm due to data breaches, leading to a loss of customers and stakeholders' confidence. This could have long-term implications on brand integrity and market positioning.

  3. Regulatory Consequences: Organizations may face significant legal and financial penalties for failing to protect sensitive data, especially if they are subject to regulations like GDPR. This vulnerability can expose companies to litigation risks and compliance issues, necessitating immediate remediation efforts.

Affected Version(s)

Ghost >= 3.24.0, < 6.19.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

ghost-cve-2026-26980
Created by dinosn

CVE-2026-26980
Created by EQSTLab

CVE-2026-26980-Ghost-CMS-Api
Created by gagaltotal

News Articles

favicon imageWebpronews

Ghost CMS Breach Exposes 700 Sites to ClickFix Malware via Unpatched SQL Flaw

Over 700 Ghost CMS sites, including those from Harvard, Oxford and DuckDuckGo, were compromised via CVE-2026-26980. Attackers stole admin API keys and injected JavaScript loaders that trigger ClickFix social engineering prompts tricking users into running malware. The flaw was patched in February bu...

1 month ago

favicon imageThe Hacker News

Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

Ghost CMS flaw CVE-2026-26980 enabled attacks on 700+ sites, injecting ClickFix malware through fake CAPTCHA pages.

References

https://github.com/TryGhost/Ghost/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/TryGhost/Ghost/commit/30868d632b2252b6...
x_refsource_MISC
https://github.com/TryGhost/Ghost/releases/tag/v6.19.1
x_refsource_MISC

EPSS Score

69% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ₯‡

    Vulnerability reached the number 1 worldwide trending spot

  • πŸ“ˆ

    Vulnerability started trending

  • πŸ’°

    Used in Ransomware

  • πŸ“°

    First article discovered by BleepingComputer

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.