Ghost SQL Injection Vulnerability in Content API Allowing Arbitrary Database Reads

Vulnerability

A SQL injection vulnerability has been identified in the Ghost content management system, specifically in versions 3.24.0 prior to 6.19.0. This vulnerability allows unauthenticated attackers to perform arbitrary reads from the database via the Content API. The issue arises from the slug filter ordering, where user input is improperly sanitized before being interpolated into SQL queries. Exploitation of this vulnerability could lead to unauthorized access to sensitive data stored in the database.

Impact

Exploitation of this vulnerability allows for arbitrary database reads, potentially exposing sensitive information to attackers.

Reproduction

The vulnerability can be reproduced by sending a request to the Content API's tags endpoint with a slug filter that includes unsanitized values. This can be done by using the Content API key, which is public by design. The request should be made over the network, as the vulnerability exists in the application when it processes the incoming data without proper validation.

Remediation

Users can upgrade to Ghost version 6.19.1, which includes a patch for this vulnerability by updating to the latest version. Instructions for updating can be found in the Ghost documentation.

Added: Feb 20, 2026, 2:35 AM
Updated: Feb 20, 2026, 2:35 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
2.5
exploitability
9.3
remediation
7.9
relevance
2.0
threat
6.2
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.