CVE-2026-26980: Ghost | defend.network

What is CVE-2026-26980?

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

CVSS9.4 NVD 3.1

SeverityCRITICAL

Exploitation In the wild

Triage statusActive Exploit

ActionPatch within 48 hours

CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

NVD published2026-02-20

NVD last modified2026-05-26

Affected product

Ghost

Remediation Steps

Apply the latest Ghost CMS security update that addresses the SQL injection vulnerability
Audit Ghost instances for injected malicious JavaScript in content
Review user activity logs for signs of compromise or unauthorized modifications
Implement Content Security Policy (CSP) headers to mitigate JavaScript injection impact

References

Coverage on defend.network

Vulnerability Priority Report – Week 22 of May 2026 (May 25 – 31)
Ghost CMS, Microsoft 365 phishing, and supply-chain malware in active exploitation (2026-05-26)
GitHub npm supply chain attacks, LiteSpeed RCE, CISA credentials exposed (2026-05-25)

🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.

What is CVE-2026-26980?

Affected product

Remediation Steps

References

Coverage on defend.network

Get Critical CVE Alerts