Ecosystem	Package	Version

Vulnerabilities

CVE-2026-26980

CVE-2026-26980

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

Published Feb 19, 2026

https://github.com/advisories/GHSA-w52v-v783-gw97

CVSS ScoreHigh

7.5

Ecosystem	Package	Version


npm	ghost	3.24.0
npm	ghost	3.25.0
npm	ghost	3.26.0
npm	ghost	3.26.1
npm	ghost	3.27.0
npm	ghost	3.28.0
npm	ghost	3.29.0
npm	ghost	3.29.1
npm	ghost	3.29.2
npm	ghost	3.30.0
npm	ghost	3.30.1
npm	ghost	3.30.2
npm	ghost	3.31.0
npm	ghost	3.31.1
npm	ghost	3.31.2
npm	ghost	3.31.3
npm	ghost	3.31.4
npm	ghost	3.31.5
npm	ghost	3.32.1
npm	ghost	3.32.2
npm	ghost	3.33.0
npm	ghost	3.34.0
npm	ghost	3.34.1
npm	ghost	3.35.0
npm	ghost	3.35.1
npm	ghost	3.35.2
npm	ghost	3.35.3
npm	ghost	3.35.4
npm	ghost	3.35.5
npm	ghost	3.36.0
npm	ghost	3.37.0
npm	ghost	3.37.1
npm	ghost	3.38.0
npm	ghost	3.38.1
npm	ghost	3.38.2
npm	ghost	3.38.3
npm	ghost	3.39.0
npm	ghost	3.39.1
npm	ghost	3.39.2
npm	ghost	3.39.3
npm	ghost	3.40.0
npm	ghost	3.40.1
npm	ghost	3.40.2
npm	ghost	3.40.3
npm	ghost	3.40.4
npm	ghost	3.40.5
npm	ghost	3.41.0
npm	ghost	3.41.1
npm	ghost	3.41.2
npm	ghost	3.41.3

CVE-2026-26980 | Components Impacted | Sonatype Guide | Sonatype Guide