CVE-2026-26980

CRITICAL

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

CVSS v3.1 Score

9.4

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

NETWORK

Complexity

LOW

Privileges

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Published: 2/20/2026Modified: 5/26/2026

Related Intelligence (2)

CRITICALVulnerability

Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks. According to QiAnXin XLab, the activity involves the exploitation of CVE-2026-26980 (CVSS score: 9.4), an SQL injection vulnerability in Ghost's Content API that could allow an unauthenticated attacker to read arbitrary data from the

CVE-2026-26980

May 25, 2026The Hacker News

CRITICALVulnerability

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows. [...]

CVE-2026-26980

May 24, 2026BleepingComputer

References (4)

https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91Patch https://github.com/TryGhost/Ghost/releases/tag/v6.19.1ProductRelease Notes https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97MitigationVendor Advisory https://blog.xlab.qianxin.com/ghost-cms-page-poisoning-cve-2026-26980/