Ghost CMS CVE-2026-26980 Allows SQL Injection and Malicious JS Injection
Patch Ghost CMS to fix CVE-2026-26980 immediately.
Apply the Ghost CMS patch and review API access.
Summary
Threat actors are exploiting a critical SQL injection vulnerability in Ghost CMS, identified as CVE-2026-26980, to inject malicious JavaScript code. The flaw allows unauthenticated attackers to read arbitrary data from the Content API and inject scripts that facilitate ClickFix attacks. QiAnXin XLab reported that the vulnerability has a CVSS score of 9.4, indicating a severe risk level. The attackers can use the injected scripts to redirect users to malicious sites or steal credentials.
Ghost developers have released a patch that fixes the SQL injection vector by sanitizing input parameters in the Content API. Site owners are urged to update to the latest Ghost version immediately to mitigate the risk. Failure to patch could expose the site to data theft and malicious code execution. Regular security scans should be performed to detect any residual injection points.
Key changes
- CVE-2026-26980 is a SQL injection in Ghost's Content API
- Unauthenticated attackers can read arbitrary data and inject malicious JavaScript
- CVSS score 9.4, severe risk
- Patch sanitizes input parameters and removes injection vector
- Site owners must update to the latest Ghost version immediately