CVE-2026-26980 Scanner

Ghost CMS is an open-source content management system used by bloggers, journalists, and businesses worldwide to create and manage online content. It provides a user-friendly interface, making it easier for users to publish and manage their content without in-depth technical knowledge. Ghost CMS focuses on simplicity, deemed a robust platform for publishing personal blogs and business websites. The system is primarily written in JavaScript and built on Node.js, facilitating modern web development practices. It ensures extensibility through themes and plugins, offering flexibility to developers looking to customize their sites. Ghost CMS also supports SEO optimization, offering tools to enhance visibility in search engines.

This vulnerability concerns an SQL Injection flaw found within Ghost CMS versions before 6.19.1, specifically affecting the content API. The flaw allows an attacker to inject malicious SQL queries through the filter parameter in the /ghost/api/content/tags/ endpoint. This vulnerability is characterized as 'blind' SQL injection, as attackers can leverage it without receiving immediate feedback on the success of their attempts. As the SQL injection is Boolean-based, it relies on subtle differences in the application's behavior to discern valid queries. This vulnerability, if unpatched, could allow unauthorized data access, including sensitive credentials and content. With a critical severity level, it requires immediate attention and remediation.

The technical details of this vulnerability revolve around a lack of proper input sanitization for the filter parameter in the /ghost/api/content/tags/ endpoint. The attacker sends a specifically crafted HTTP GET request, manipulating the SQL query logic to control database responses indirectly. The SQL injection occurs because the application fails to use parameterized queries to safely construct database queries, allowing attackers to manipulate SQL command execution. An exploit involves comparing the lengths of HTTP responses to specific payloads designed to influence database behavior and identify valid or invalid conditions. The extraction process involves manipulating query execution conditions in the tags filtering functionality, leading to unauthorized data access.

If exploited, this vulnerability could severely impact the security and integrity of the Ghost CMS installations prior to version 6.19.1. Attackers could extract sensitive information such as user credentials (including passwords), API keys, and all hosted content within the CMS. Such data exposure compromises site integrity and user privacy, allowing potential misuse or further exploitation. Unauthorized access to API keys could lead to a full compromise of the system, including unauthorized changes to site content and configuration. Given the high impact potential, the timely resolution of this vulnerability is crucial to maintaining the security of a Ghost CMS installation.

REFERENCES

• https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97
• https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91
• https://nvd.nist.gov/vuln/detail/CVE-2026-26980