Unauthenticated Database Read Vulnerability in Ghost CMS
CVE-2026-26980
Key Information:
Badges
What is CVE-2026-26980?
Ghost CMS, a widely used Node.js content management system, contains a vulnerability that enables unauthenticated attackers to execute arbitrary reads from its database. This security flaw affects versions 3.24.0 through 6.19.0, posing a significant risk to the confidentiality of sensitive data stored within the application. The issue has been addressed in version 6.19.1. For further details, refer to the official security advisory and release notes.
Affected Version(s)
Ghost >= 3.24.0, < 6.19.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
The Hacker NewsCVE-2026-26980Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
Ghost CMS flaw CVE-2026-26980 enabled attacks on 700+ sites, injecting ClickFix malware through fake CAPTCHA pages.
10 hours ago
Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign
A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows.
1 day ago
References
EPSS Score
63% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π°
Used in Ransomware
- π°
First article discovered by BleepingComputer
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved