256f3a35ac
Archived to docs/archive/retired-tasks/: - Ghost CMS tasks (6 folders) - retired April 2, 2026 - Paymenter tasks (2 folders) - retired April 3, 2026 - Ghost website pages Removed duplicate templates: - MEMORIAL-TEMPLATE.md (keeping lowercase version) - PORTRAIT-PROMPT-TEMPLATE.md (keeping lowercase version) - SESSION-REPORT-TEMPLATE.md (keeping lowercase version) - OPENER-TEMPLATE.md Chronicler #66
1.5 KiB
Ghost CMS Security Update — CVE-2026-26980 + CVE-2026-29784
Status: URGENT — PATCH IMMEDIATELY
Owner: Michael "Frostystyle" Krause
Priority: Tier 0 — Critical Security
Created: 2026-03-10
Created By: Chronicler #29
Situation
Ghost CMS at firefrostgaming.com is running v6.16.1, which is vulnerable to two active CVEs.
| CVE | Severity | Description | Fixed In |
|---|---|---|---|
| CVE-2026-26980 | Critical (CVSS 9.4) | SQL injection in Content API — unauthenticated attackers can read arbitrary data from the database | 6.19.1 |
| CVE-2026-29784 | High (CVSS 7.5) | CSRF flaw on /session/verify endpoint — account takeover via phishing |
6.19.3 |
No application-level workaround exists for CVE-2026-26980. Must update.
Exposure window: March 2, 2026 (alert received) — present. Site is public-facing.
Target version: 6.19.3 (patches both CVEs)
Quick Links
- Deployment Plan — Step-by-step update procedure
- Infrastructure Note — Ghost CMS added to manifest
Infrastructure Note
Ghost CMS was not previously documented in the infrastructure manifest. This update task also triggers an infrastructure manifest update to add Ghost CMS as a service on Ghost VPS.
Server: Ghost VPS (64.50.188.14)
URL: https://firefrostgaming.com
Admin: https://firefrostgaming.com/ghost
Version (vulnerable): 6.16.1
Database: MySQL 8
Environment: Production