{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22596", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T21:50:39.532Z", "datePublished": "2026-01-10T02:57:19.792Z", "dateUpdated": "2026-01-12T17:37:41.086Z"}, "containers": {"cna": {"title": "Ghost has SQL Injection in Members Activity Feed", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-gjrp-xgmh-x9qq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-gjrp-xgmh-x9qq"}, {"name": "https://github.com/TryGhost/Ghost/commit/cda236e455a7a30e828b6cba3c430e5796ded955", "tags": ["x_refsource_MISC"], "url": "https://github.com/TryGhost/Ghost/commit/cda236e455a7a30e828b6cba3c430e5796ded955"}, {"name": "https://github.com/TryGhost/Ghost/commit/f2165f968bcdaae0e35590b38fa280ab03239391", "tags": ["x_refsource_MISC"], "url": "https://github.com/TryGhost/Ghost/commit/f2165f968bcdaae0e35590b38fa280ab03239391"}], "affected": [{"vendor": "TryGhost", "product": "Ghost", "versions": [{"version": ">= 6.0.0, < 6.11.0", "status": "affected"}, {"version": ">= 5.90.0, < 5.130.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T02:57:19.792Z"}, "descriptions": [{"lang": "en", "value": "Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0."}], "source": {"advisory": "GHSA-gjrp-xgmh-x9qq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T17:37:34.204877Z", "id": "CVE-2026-22596", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T17:37:41.086Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22596", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-12T17:37:34.204877Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T17:37:36.940Z"}}], "cna": {"title": "Ghost has SQL Injection in Members Activity Feed", "source": {"advisory": "GHSA-gjrp-xgmh-x9qq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "TryGhost", "product": "Ghost", "versions": [{"status": "affected", "version": ">= 6.0.0, < 6.11.0"}, {"status": "affected", "version": ">= 5.90.0, < 5.130.6"}]}], "references": [{"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-gjrp-xgmh-x9qq", "name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-gjrp-xgmh-x9qq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/TryGhost/Ghost/commit/cda236e455a7a30e828b6cba3c430e5796ded955", "name": "https://github.com/TryGhost/Ghost/commit/cda236e455a7a30e828b6cba3c430e5796ded955", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/TryGhost/Ghost/commit/f2165f968bcdaae0e35590b38fa280ab03239391", "name": "https://github.com/TryGhost/Ghost/commit/f2165f968bcdaae0e35590b38fa280ab03239391", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T02:57:19.792Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22596", "state": "PUBLISHED", "dateUpdated": "2026-01-12T17:37:41.086Z", "dateReserved": "2026-01-07T21:50:39.532Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-10T02:57:19.792Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "2D327CA9-FD73-4ABD-96CF-093B90712BA8", "versionEndExcluding": "5.130.6", "versionStartIncluding": "5.90.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "9EC484AC-A1F0-4C13-BFAB-9DA57116957D", "versionEndExcluding": "6.11.0", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0."}], "id": "CVE-2026-22596", "lastModified": "2026-01-15T18:35:34.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-10T03:15:50.703", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/TryGhost/Ghost/commit/cda236e455a7a30e828b6cba3c430e5796ded955"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/TryGhost/Ghost/commit/f2165f968bcdaae0e35590b38fa280ab03239391"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-gjrp-xgmh-x9qq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:13:58.377611+00:00", "value": {"mitigation_remediation": ["Upgrade Ghost to version 5.130.6 or later for the 5.x series, or to 6.11.0 or later for the 6.x series to remove the vulnerability.", "If an update cannot be applied immediately, restrict access to the /ghost/api/admin/members/events endpoint by implementing firewall rules or network segmentation so that only trusted IP addresses can reach the Admin API, and enforce Multi\u2011Factor Authentication for all Admin API credentials.", "Monitor application logs for suspicious SQL statements or failed authentication attempts against the Admin API endpoint, and investigate any anomalies promptly."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection Allowing Arbitrary Database Access"}, "threat_synthesis": {"affected_systems": "The affected products are Ghost versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3. These include all releases of Ghost v5.x and v6.x up to the listed boundaries. Patches were released in Ghost 5.130.6 and 6.11.0, eliminating the vulnerability. Systems running any of the vulnerable versions and exposing the Admin API should therefore be updated promptly.", "description_and_impact": "Ghost, a Node.js content management system, contains a SQL injection flaw in the /ghost/api/admin/members/events endpoint. The flaw enables users who possess valid Admin API credentials to inject and execute arbitrary SQL statements. Attackers could use this capability to read, modify, or delete database records, potentially extracting sensitive user information or escalating privileges within the system.", "risk_and_exploitability": "The CVSS base score of 6.7 indicates moderate severity, and the EPSS score of less than 1% shows a very low current exploitation probability. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires an attacker to authenticate against the Admin API; therefore, exposure is limited to actors who can obtain API credentials or have privileged access. While the risk is mitigated by low exploitation likelihood, any compromised or leaked credentials could allow an attacker to seize control of the database."}}}}, "created": "2026-01-12T14:36:36.703923+00:00", "updated": "2026-04-18T07:15:25.861022+00:00", "vendors": ["ghost", "ghost$PRODUCT$ghost"]}