CVE-2026-26980: Ghost is a Node.js content management system. Versions

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

• EPSS 56.7% (98.2% percentile)
• CVSS 9.4 critical

Related briefings

• Fake Developer Tool Sites Hijack Downloads to Spread Stealers 2026-06-06
• ClickFix via Ghost CMS: How CVE-2026-26980 Turned 700 Legitimate Websites Into Malware Delivery Nodes 2026-05-25

Browse the CVE database

Read the full analysis on IntelFusions