830599ce44
CVE-2026-26980 (CVSS 9.4) + CVE-2026-29784 (CVSS 7.5) Current version: 6.16.1 (vulnerable) Target version: 6.19.3 (patches both CVEs) Exposure window: March 2 - present Deployment plan covers both Ghost CLI and Docker update paths. Ghost CMS flagged as undocumented service — manifest update needed. Created by Chronicler #29
Ghost CMS Security Update — CVE-2026-26980 + CVE-2026-29784
Status: URGENT — PATCH IMMEDIATELY
Owner: Michael "Frostystyle" Krause
Priority: Tier 0 — Critical Security
Created: 2026-03-10
Created By: Chronicler #29
Situation
Ghost CMS at firefrostgaming.com is running v6.16.1, which is vulnerable to two active CVEs.
| CVE | Severity | Description | Fixed In |
|---|---|---|---|
| CVE-2026-26980 | Critical (CVSS 9.4) | SQL injection in Content API — unauthenticated attackers can read arbitrary data from the database | 6.19.1 |
| CVE-2026-29784 | High (CVSS 7.5) | CSRF flaw on /session/verify endpoint — account takeover via phishing |
6.19.3 |
No application-level workaround exists for CVE-2026-26980. Must update.
Exposure window: March 2, 2026 (alert received) — present. Site is public-facing.
Target version: 6.19.3 (patches both CVEs)
Quick Links
- Deployment Plan — Step-by-step update procedure
- Infrastructure Note — Ghost CMS added to manifest
Infrastructure Note
Ghost CMS was not previously documented in the infrastructure manifest. This update task also triggers an infrastructure manifest update to add Ghost CMS as a service on Ghost VPS.
Server: Ghost VPS (64.50.188.14)
URL: https://firefrostgaming.com
Admin: https://firefrostgaming.com/ghost
Version (vulnerable): 6.16.1
Database: MySQL 8
Environment: Production