Security Alert: Critical SQL Injection Vulnerability CVE-2026-26980 Found in Ghost CMS
A critical SQL injection vulnerability (CVE-2026-26980) has been discovered in Ghost CMS, affecting versions 3.24.0 to 6.19.0. Users are strongly advised to upgrade to v6.19.1 immediately.
On February 20, 2026, Ghost CMS released an urgent security advisory disclosing a critical vulnerability, CVE-2026-26980, in its Content API.
The vulnerability is a SQL injection flaw with a CVSS score of 9.4 (Critical). It allows unauthenticated attackers to read arbitrary data directly from the database.
Affected versions: Ghost CMS 3.24.0 through 6.19.0. The vulnerability has been patched in version 6.19.1.
Security researchers warn that attackers could exploit this vulnerability to access: user sensitive information, website content data, configuration details, and member data (if applicable).
Immediate actions recommended: 1) Upgrade to v6.19.1 or higher immediately if you self-host Ghost. 2) Review server logs for any unusual database access. 3) Monitor official Ghost announcements for further updates.
Source: GitHub Advisory (GHSA-w52v-v783-gw97), ghost.org/changelog/