feat: add Task #38 — Ghost CMS urgent security update

CVE-2026-26980 (CVSS 9.4) + CVE-2026-29784 (CVSS 7.5)
Current version: 6.16.1 (vulnerable)
Target version: 6.19.3 (patches both CVEs)
Exposure window: March 2 - present

Deployment plan covers both Ghost CLI and Docker update paths.
Ghost CMS flagged as undocumented service — manifest update needed.

Created by Chronicler #29

docs/core/tasks.md

@@ -32,6 +32,29 @@ Quick wins that unlock other work or provide immediate value.
 
 ---
 
+### 38. Ghost CMS Security Update — ⚠️ URGENT
+**Time:** 15-30 minutes  
+**Status:** PATCH IMMEDIATELY — 8 days exposed  
+**Priority:** Tier 0 — Critical Security  
+**Documentation:** `docs/tasks/ghost-security-update/`
+
+Ghost CMS at firefrostgaming.com is running v6.16.1, vulnerable to two active CVEs. No workaround exists — must update to 6.19.3.
+
+**CVEs:**
+- CVE-2026-26980 (CVSS 9.4 Critical) — SQL injection in Content API, unauthenticated DB read
+- CVE-2026-29784 (CVSS 7.5 High) — CSRF account takeover via session/verify endpoint
+
+**Key Deliverables:**
+- Ghost updated to v6.19.3 on Ghost VPS (64.50.188.14)
+- Site verified operational post-update
+- Infrastructure manifest updated (Ghost CMS was undocumented)
+
+**Dependencies:** Requires SSH access to Ghost VPS (64.50.188.14)
+
+**See task directory for complete update procedure (CLI and Docker paths both documented).**
+
+---
+
 ### 1. Centralized Whitelist Manager Web Dashboard — ✅ COMPLETE
 **Time:** 2-2.5 hours (actual: ~4 hours over 2 sessions)  
 **Status:** ✅ FULLY OPERATIONAL  

docs/tasks/ghost-security-update/README.md

@@ -0,0 +1,44 @@
+# Ghost CMS Security Update — CVE-2026-26980 + CVE-2026-29784
+
+**Status:** URGENT — PATCH IMMEDIATELY  
+**Owner:** Michael "Frostystyle" Krause  
+**Priority:** Tier 0 — Critical Security  
+**Created:** 2026-03-10  
+**Created By:** Chronicler #29
+
+---
+
+## Situation
+
+Ghost CMS at firefrostgaming.com is running v6.16.1, which is vulnerable to two active CVEs.
+
+| CVE | Severity | Description | Fixed In |
+|-----|----------|-------------|----------|
+| CVE-2026-26980 | Critical (CVSS 9.4) | SQL injection in Content API — unauthenticated attackers can read arbitrary data from the database | 6.19.1 |
+| CVE-2026-29784 | High (CVSS 7.5) | CSRF flaw on `/session/verify` endpoint — account takeover via phishing | 6.19.3 |
+
+**No application-level workaround exists for CVE-2026-26980.** Must update.
+
+**Exposure window:** March 2, 2026 (alert received) — present. Site is public-facing.
+
+**Target version: 6.19.3** (patches both CVEs)
+
+---
+
+## Quick Links
+
+- [Deployment Plan](deployment-plan.md) — Step-by-step update procedure
+- [Infrastructure Note](infrastructure-note.md) — Ghost CMS added to manifest
+
+---
+
+## Infrastructure Note
+
+Ghost CMS was not previously documented in the infrastructure manifest. This update task also triggers an infrastructure manifest update to add Ghost CMS as a service on Ghost VPS.
+
+**Server:** Ghost VPS (64.50.188.14)  
+**URL:** https://firefrostgaming.com  
+**Admin:** https://firefrostgaming.com/ghost  
+**Version (vulnerable):** 6.16.1  
+**Database:** MySQL 8  
+**Environment:** Production

docs/tasks/ghost-security-update/deployment-plan.md

@@ -0,0 +1,177 @@
+# Deployment Plan — Ghost CMS Security Update
+
+**Task:** Ghost CMS Security Update  
+**Document Type:** deployment-plan  
+**Status:** ACTIVE  
+**Last Updated:** 2026-03-10  
+**Target Version:** 6.19.3 (patches CVE-2026-26980 + CVE-2026-29784)
+
+---
+
+## Pre-Flight
+
+SSH into Ghost VPS:
+
+```bash
+ssh root@64.50.188.14
+```
+
+Check current Ghost version to confirm:
+
+```bash
+ghost version
+```
+
+If `ghost` command not found, detect install method:
+
+```bash
+which ghost
+```
+
+```bash
+docker ps | grep ghost
+```
+
+```bash
+find / -name "ghost" -type d 2>/dev/null | grep -v proc | head -10
+```
+
+---
+
+## Step 1 — Identify Install Method
+
+**If `ghost version` works → Ghost CLI install. Follow Path A.**
+
+**If `docker ps` shows a Ghost container → Docker install. Follow Path B.**
+
+---
+
+## Path A: Ghost CLI Update (most likely)
+
+**Step 1 — Navigate to Ghost directory:**
+
+```bash
+cd /var/www/ghost
+```
+
+**Step 2 — Run the update:**
+
+```bash
+ghost update 6.19.3
+```
+
+**Step 3 — Confirm version:**
+
+```bash
+ghost version
+```
+
+**Step 4 — Check status:**
+
+```bash
+ghost status
+```
+
+Expected output: Ghost is running, version 6.19.3
+
+---
+
+## Path B: Docker Update
+
+**Step 1 — Find the compose file:**
+
+```bash
+find / -name "docker-compose.yml" 2>/dev/null | xargs grep -l ghost
+```
+
+**Step 2 — Navigate to it:**
+
+```bash
+cd /path/to/ghost/compose/
+```
+
+**Step 3 — Update the image tag in docker-compose.yml:**
+
+Change:
+```
+image: ghost:6.16.1
+```
+To:
+```
+image: ghost:6.19.3
+```
+
+**Step 4 — Pull and restart:**
+
+```bash
+docker-compose pull
+```
+
+```bash
+docker-compose up -d
+```
+
+**Step 5 — Confirm:**
+
+```bash
+docker ps | grep ghost
+```
+
+---
+
+## Post-Update Verification
+
+**Check the admin panel loads:**
+
+```
+https://firefrostgaming.com/ghost
+```
+
+**Verify version in admin footer — should read 6.19.3**
+
+**Check site is serving correctly:**
+
+```
+https://firefrostgaming.com
+```
+
+**Check Ghost process is healthy:**
+
+```bash
+ghost status
+```
+
+---
+
+## If Something Goes Wrong
+
+**Ghost CLI rollback:**
+
+```bash
+ghost update --rollback
+```
+
+**Check logs:**
+
+```bash
+ghost log
+```
+
+**Ghost service restart:**
+
+```bash
+ghost restart
+```
+
+---
+
+## Completion Checklist
+
+- [ ] SSH into Ghost VPS
+- [ ] Confirmed current version (6.16.1)
+- [ ] Identified install method (CLI or Docker)
+- [ ] Updated to 6.19.3
+- [ ] Confirmed version in admin panel footer
+- [ ] Site loading correctly post-update
+- [ ] Update task status to COMPLETE
+- [ ] Update infrastructure manifest with Ghost CMS entry