CVE-2026-26980

Name of the Vulnerable Software and Affected Versions Ghost versions 3.24.0 through 6.19.0

Description Ghost is a Node.js content management system. A blind SQL injection exists in the Content API, specifically within the '/ghost/api/content' endpoint. This flaw allows unauthenticated attackers to perform arbitrary reads from the database, which can lead to the theft of admin API keys and full administrative account takeover.

Recommendations Update to version 6.19.1. As a temporary mitigation, use a reverse proxy or WAF rule to block Content API requests containing slug%3A%5B or slug:[ in the query string filter parameter.