Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.4
Ghost has a SQL injection in Content API
CVE-2026-26980
GHSA-w52v-v783-gw97
Summary
### Impact
A SQL injection vulnerability existed in Ghost's Content API that allowed unauthenticated attackers to read arbitrary data from the database.
### Vulnerable Versions
This vulnerability is present in Ghost v3.24.0 to v6.19.0.
### Patches
v6.19.1 contains a fix for this issue.
### Wo...
What to do
- Update ghost-slimer ghost to version 6.19.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| ghost-slimer | ghost | > 3.24.0 , <= 6.19.1 | 6.19.1 |
| ghost | ghost | > 3.24.0 , <= 6.19.1 | – |
Original title
Ghost has a SQL injection in Content API
Original description
### Impact
A SQL injection vulnerability existed in Ghost's Content API that allowed unauthenticated attackers to read arbitrary data from the database.
### Vulnerable Versions
This vulnerability is present in Ghost v3.24.0 to v6.19.0.
### Patches
v6.19.1 contains a fix for this issue.
### Workarounds
There is no application-level workaround. The Content API key is public by design, so restricting key access does not mitigate this vulnerability.
As a temporary mitigation, a reverse proxy or WAF rule can be used to block Content API requests containing `slug%3A%5B` or `slug:[` in the query string filter parameter. Note that this may break legitimate slug filter functionality.
### References
We thank Nicholas Carlini using Claude, Anthropic for disclosing this vulnerability responsibly.
### For more information
If you have any questions or comments about this advisory, email us at [[email protected]](mailto:[email protected]).
A SQL injection vulnerability existed in Ghost's Content API that allowed unauthenticated attackers to read arbitrary data from the database.
### Vulnerable Versions
This vulnerability is present in Ghost v3.24.0 to v6.19.0.
### Patches
v6.19.1 contains a fix for this issue.
### Workarounds
There is no application-level workaround. The Content API key is public by design, so restricting key access does not mitigate this vulnerability.
As a temporary mitigation, a reverse proxy or WAF rule can be used to block Content API requests containing `slug%3A%5B` or `slug:[` in the query string filter parameter. Note that this may break legitimate slug filter functionality.
### References
We thank Nicholas Carlini using Claude, Anthropic for disclosing this vulnerability responsibly.
### For more information
If you have any questions or comments about this advisory, email us at [[email protected]](mailto:[email protected]).
nvd CVSS3.1
7.5
Vulnerability type
CWE-89
SQL Injection
- https://nvd.nist.gov/vuln/detail/CVE-2026-26980
- https://github.com/advisories/GHSA-w52v-v783-gw97
- https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed9... Patch
- https://github.com/TryGhost/Ghost/releases/tag/v6.19.1 Product Release Notes
- https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97 Vendor Advisory Mitigation
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026