CVE-2026-22596

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Ghost versions 5.90.0 through 5.130.5 Ghost versions 6.0.0 through 6.10.3

Description Ghost is a Node.js content management system. A flaw in the /ghost/api/admin/members/events API endpoint permits authenticated Admin API users to execute arbitrary SQL queries. The vulnerability exists due to insufficient input validation when processing requests to this endpoint. The admin role is required for exploitation.

Recommendations Update to Ghost version 5.130.6 or later. Update to Ghost version 6.11.0 or later.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

BIT-GHOST-2026-22596

CVE-2026-22596

GHSA-GJRP-XGMH-X9QQ

Affected Products

Ghost

CVE-2026-22596

Weakness Enumeration

Related Identifiers

Affected Products

References · 11