Vulnerability Description
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
CVSS Score
9.4
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ghost | Ghost | >= 3.24.0, < 6.19.1 |
Related Weaknesses (CWE)
References
- https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed9Patch
- https://github.com/TryGhost/Ghost/releases/tag/v6.19.1ProductRelease Notes
- https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97Vendor AdvisoryMitigation
FAQ
What is CVE-2026-26980?
CVE-2026-26980 is a vulnerability with a CVSS score of 9.4 (CRITICAL). Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
How severe is CVE-2026-26980?
CVE-2026-26980 has been rated CRITICAL with a CVSS base score of 9.4/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-26980?
Check the references section above for vendor advisories and patch information. Affected products include: Ghost Ghost.