CVE-2026-26980 — AI Deep Analysis Summary

🚨 **Essence**: Blind SQL Injection in Ghost CMS. <br>💥 **Consequences**: Unauthenticated attackers can execute arbitrary database reads. Critical risk to data integrity and confidentiality.

🛡️ **Root Cause**: CWE-89 (SQL Injection). <br>🔍 **Flaw**: The `/ghost/api/content/tags/` endpoint accepts the `filter` parameter without proper validation or sanitization.

📦 **Affected**: TryGhost Ghost CMS. <br>📅 **Versions**: 3.24.0 through 6.19.0. <br>✅ **Safe**: Version 6.19.1 and above are patched.

🕵️ **Attacker Actions**: Read arbitrary data from the database. <br>🔓 **Privileges**: No authentication required (PR:N). <br>📊 **Impact**: High Confidentiality & Integrity impact; Low Availability impact.

📉 **Threshold**: LOW. <br>🌐 **Access**: Network accessible (AV:N). <br>🔑 **Auth**: None required (PR:N). <br>👁️ **UI**: No user interaction needed (UI:N). <br>🎯 **Complexity**: Low (AC:L).

🔓 **Exploit**: Yes. <br>📜 **PoC**: Available via ProjectDiscovery Nuclei templates. <br>🧪 **Method**: Boolean-based blind SQL injection payload sent to the filter parameter.

🔍 **Self-Check**: Scan for Ghost CMS versions 3.24.0-6.19.0. <br>🧪 **Test**: Use Nuclei template `CVE-2026-26980.yaml` to probe the `/ghost/api/content/tags/` endpoint with boolean payloads.

🛠️ **Fix**: Officially patched in **v6.19.1**. <br>🔗 **Commit**: See GitHub commit `30868d6`. <br>📢 **Advisory**: GHSA-w52v-v783-gw97.

🚧 **Workaround**: If patching is impossible, restrict network access to the `/ghost/api/content/tags/` endpoint. <br>🛡️ **WAF**: Implement strict input filtering for the `filter` parameter to block SQL syntax.

⚡ **Urgency**: HIGH. <br>🚨 **Priority**: Immediate patching recommended. <br>📉 **Risk**: CVSS Score indicates High severity with easy exploitation and no auth required.