SQL Injection (CVE‑2026‑26980) in Ghost CMS 3.24.0‑6.19.0 Exposes Websites to Data Theft
What Happened – A publicly‑available exploit (EDB‑52555) demonstrates a classic SQL injection in Ghost CMS versions 3.24.0 through 6.19.0 (CVE‑2026‑26980). The flaw allows an unauthenticated attacker to inject arbitrary SQL, retrieve database contents, and potentially execute commands on the underlying host.
Why It Matters for TPRM –
- Ghost is a widely‑deployed SaaS‑style publishing platform; a breach can cascade to downstream partners and customers.
- An exploited SQLi can lead to credential leakage, content defacement, or ransomware deployment via the compromised server.
- Third‑party risk programs must verify that any vendor using Ghost has patched or mitigated this vulnerability.
Who Is Affected – Media & publishing firms, digital marketing agencies, SaaS providers, and any organization that hosts public‑facing websites on Ghost CMS.
Recommended Actions –
- Confirm Ghost version; if ≤ 6.19.0, apply the vendor‑released patch or upgrade to the latest release.
- Conduct a web‑application scan focused on SQLi vectors for all Ghost instances.
- Review firewall and WAF rules to block suspicious payloads targeting Ghost endpoints.
- Update third‑party risk registers to reflect the new vulnerability and re‑assess vendor risk scores.
Technical Notes – The exploit leverages unsanitized query parameters in the /tags/ API endpoint, works against both MySQL and SQLite back‑ends, and can be automated with multithreaded scripts. No CVE‑assigned CVSS score yet; preliminary analysis suggests a CVSS v3.1 base score of 8.8 (Remote Code Execution, Confidentiality & Integrity impact). Source: Exploit‑DB 52555