CVE-2026-26980

CRITICAL EXPLOITED NUCLEI LAB

Ghost 3.24.0-6.19.0 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2026-26980 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including Maksim Rogov, dinosn, ByteWraith1. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional SQL injection exploit for Ghost CMS versions 3.24.0 to 6.19.0. It automates the discovery of API endpoints, extracts data via blind SQLi using time-based and error-based techniques, and dumps table contents.

Description

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

Exploits (6)

exploitdb WORKING POC
by Maksim Rogov · textwebappsmultiple
https://www.exploit-db.com/exploits/52555

This is a functional SQL injection exploit for Ghost CMS versions 3.24.0 to 6.19.0. It automates the discovery of API endpoints, extracts data via blind SQLi using time-based and error-based techniques, and dumps table contents.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Ghost CMS >=3.24.0, <=6.19.0
No auth needed
Prerequisites: Target Ghost CMS instance · Network access to the target
devstral-2 · analyzed May 08, 2026 Full analysis →
nomisec WORKING POC 3 stars
by dinosn · remote-auth
https://github.com/dinosn/ghost-cve-2026-26980

This repository contains a functional exploit for CVE-2026-26980, an unauthenticated blind SQL injection vulnerability in Ghost CMS via the Content API's slug filter ordering mechanism. The exploit includes detailed technical analysis, proof-of-concept code, and a lab setup for validation.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Ghost CMS 3.24.0 - 6.19.0
No auth needed
Prerequisites: Docker & Docker Compose · Python 3.8+ with requests
devstral-2 · analyzed Apr 18, 2026 Full analysis →
github SUSPICIOUS 1 stars
by ByteWraith1 · poc
https://github.com/ByteWraith1/CVE-2026-26980

The repository claims to provide an exploit for CVE-2026-26980 but lacks actual exploit code, instead directing users to an external download link. The README contains vague details and no technical analysis.

Classification
Suspicious 95%
Attack Type
Info Leak
Complexity
Theoretical
Reliability
Theoretical
Target: Ghost CMS versions 3.24.0 through 6.19.0
No auth needed
Prerequisites: none specified
devstral-2 · analyzed May 29, 2026 Full analysis →
github WORKING POC 1 stars
by EQSTLab · pythoninfoleak
https://github.com/EQSTLab/CVE-2026-26980

This repository contains a functional exploit for CVE-2026-26980, demonstrating an unauthenticated SQL injection vulnerability in Ghost CMS's Content API. The PoC extracts sensitive data such as admin emails, names, API keys, and database records using a time-based blind SQLi technique.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Ghost CMS
No auth needed
Prerequisites: Access to the Ghost CMS Content API endpoint · A valid Content API key (default provided)
devstral-2 · analyzed May 27, 2026 Full analysis →
github WORKING POC
by Kulik-Labs-Development · pythonpoc
https://github.com/Kulik-Labs-Development/Ghost-CMS-Code-Injection-Audit-CVE-2026-26980

This repository contains a functional Python script designed to remove malicious code injections from Ghost CMS posts and pages via the Admin API. It demonstrates the exploitation of CVE-2026-26980 by interacting with the Ghost CMS API to clear injected code in 'codeinjection_head' and 'codeinjection_foot' fields.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Ghost CMS
Auth required
Prerequisites: Admin API key for Ghost CMS · Python 3.8+ · requests and PyJWT libraries
devstral-2 · analyzed May 20, 2026 Full analysis →
nomisec WORKING POC
by vognik · infoleak
https://github.com/vognik/CVE-2026-26980

This repository contains a functional exploit for CVE-2026-26980, an unauthenticated SQL injection vulnerability in Ghost CMS's Content API. The exploit automates the extraction of arbitrary database records, supporting both SQLite and MySQL backends with multi-threaded extraction.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Ghost CMS >= 3.24.0, <= 6.19.0
No auth needed
Prerequisites: Target Ghost CMS instance with exposed Content API · Network access to the target
devstral-2 · analyzed Apr 09, 2026 Full analysis →

Nuclei Templates (1)

Ghost CMS Content API - SQL Injection
CRITICALVERIFIEDby domwhewell-sage
Shodan: http.component:"Ghost"
FOFA: app="Ghost"

References (4)

Core 4

Scores

CVSS v3 9.4
EPSS 0.5666
EPSS Percentile 98.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull ghost:6.16.1
docker pull ghost:6.18.0
docker pull ghost:6.19.1
+3 more repos

Details

VulnCheck KEV 2026-05-21
CWE
CWE-89
Status published
Products (3)
ghost/ghost 3.24.0 - 6.19.1
npm/ghost 3.24.0 - 6.19.1npm
TryGhost/Ghost >= 3.24.0, < 6.19.1
Published Feb 20, 2026
Tracked Since Feb 20, 2026