# Ghost CMS Security Update — CVE-2026-26980 + CVE-2026-29784

**Status:** URGENT — PATCH IMMEDIATELY  
**Owner:** Michael "Frostystyle" Krause  
**Priority:** Tier 0 — Critical Security  
**Created:** 2026-03-10  
**Created By:** Chronicler #29

---

## Situation

Ghost CMS at firefrostgaming.com is running v6.16.1, which is vulnerable to two active CVEs.

| CVE | Severity | Description | Fixed In |
|-----|----------|-------------|----------|
| CVE-2026-26980 | Critical (CVSS 9.4) | SQL injection in Content API — unauthenticated attackers can read arbitrary data from the database | 6.19.1 |
| CVE-2026-29784 | High (CVSS 7.5) | CSRF flaw on `/session/verify` endpoint — account takeover via phishing | 6.19.3 |

**No application-level workaround exists for CVE-2026-26980.** Must update.

**Exposure window:** March 2, 2026 (alert received) — present. Site is public-facing.

**Target version: 6.19.3** (patches both CVEs)

---

## Quick Links

- [Deployment Plan](deployment-plan.md) — Step-by-step update procedure
- [Infrastructure Note](infrastructure-note.md) — Ghost CMS added to manifest

---

## Infrastructure Note

Ghost CMS was not previously documented in the infrastructure manifest. This update task also triggers an infrastructure manifest update to add Ghost CMS as a service on Ghost VPS.

**Server:** Ghost VPS (64.50.188.14)  
**URL:** https://firefrostgaming.com  
**Admin:** https://firefrostgaming.com/ghost  
**Version (vulnerable):** 6.16.1  
**Database:** MySQL 8  
**Environment:** Production