firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
dacb247fafad02f6df0d35f9f8caee08758e4d64
firefrost-operations-manual/docs/tasks/ghost-security-update/README.md
Claude 830599ce44 feat: add Task #38 — Ghost CMS urgent security update 
CVE-2026-26980 (CVSS 9.4) + CVE-2026-29784 (CVSS 7.5)
Current version: 6.16.1 (vulnerable)
Target version: 6.19.3 (patches both CVEs)
Exposure window: March 2 - present

Deployment plan covers both Ghost CLI and Docker update paths.
Ghost CMS flagged as undocumented service — manifest update needed.

Created by Chronicler #29
2026-03-10 23:18:56 +00:00

45 lines
1.5 KiB
Markdown
Raw Blame History

# Ghost CMS Security Update — CVE-2026-26980 + CVE-2026-29784
**Status:** URGENT — PATCH IMMEDIATELY
**Owner:** Michael "Frostystyle" Krause
**Priority:** Tier 0 — Critical Security
**Created:** 2026-03-10
**Created By:** Chronicler #29
---
## Situation
Ghost CMS at firefrostgaming.com is running v6.16.1, which is vulnerable to two active CVEs.
| CVE | Severity | Description | Fixed In |
|-----|----------|-------------|----------|
| CVE-2026-26980 | Critical (CVSS 9.4) | SQL injection in Content API — unauthenticated attackers can read arbitrary data from the database | 6.19.1 |
| CVE-2026-29784 | High (CVSS 7.5) | CSRF flaw on `/session/verify` endpoint — account takeover via phishing | 6.19.3 |
**No application-level workaround exists for CVE-2026-26980.** Must update.
**Exposure window:** March 2, 2026 (alert received) — present. Site is public-facing.
**Target version: 6.19.3** (patches both CVEs)
---
## Quick Links
- [Deployment Plan](deployment-plan.md) — Step-by-step update procedure
- [Infrastructure Note](infrastructure-note.md) — Ghost CMS added to manifest
---
## Infrastructure Note
Ghost CMS was not previously documented in the infrastructure manifest. This update task also triggers an infrastructure manifest update to add Ghost CMS as a service on Ghost VPS.
**Server:** Ghost VPS (64.50.188.14)
**URL:** https://firefrostgaming.com
**Admin:** https://firefrostgaming.com/ghost
**Version (vulnerable):** 6.16.1
**Database:** MySQL 8
**Environment:** Production
Reference in New Issue View Git Blame Copy Permalink