FixVibe
Covered by FixVibecritical

Piki SQL nan kontni fantom API (CVE-2026-26980) ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG1 Vèsyon fantom 3.24.0 rive 6.19.0 vilnerab a yon piki SQL kritik nan kontni API (CVE-2026-26980), ki pèmèt aksè done san otantifikasyon. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG2 Vèsyon Ghost 3.24.0 jiska 6.19.0 genyen yon vilnerabilite kritik piki SQL nan Content CVE-2026-26980. Sa a pèmèt atakan ki pa otantifye egzekite kòmandman SQL abitrè, ki kapab mennen nan èksfiltrasyon done oswa modifikasyon san otorizasyon. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG3 ## Enpak ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG4 Vèsyon Ghost 3.24.0 jiska 6.19.0 yo sansib a yon vilnerabilite kritik piki SQL nan Content ZXCVFIXVIBETOKEN4ZXCV CVE-2026-26980. Yon atakè ki pa otantifye ka eksplwate defo sa a pou egzekite kòmandman SQL abitrè kont baz done ki kache API. Siksè eksplwatasyon ta ka lakòz ekspoze nan done itilizatè sansib oswa modifikasyon san otorizasyon nan kontni sit ZXCVFIXVIBETOKEN2ZXCV. Yo bay vilnerabilite sa a yon nòt CVSS 9.4, ki reflete severite kritik li ZXCVFIXVIBETOKEN3ZXCV. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG5 ## Kòz Rasin ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG6 Pwoblèm nan soti nan validation opinyon move nan kontni Fantom ZXCVFIXVIBETOKEN3ZXCV CVE-2026-26980. Espesyalman, aplikasyon an echwe pou kòrèkteman dezenfekte done itilizatè yo bay anvan li enkòpore li nan demann SQL API. Sa a pèmèt yon atakè manipile estrikti rechèch la pa enjekte move fragman SQL ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG7 ## Vèsyon ki afekte yo ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG8 Vèsyon fantom apati **3.24.0** jiska **6.19.0** ki gen ladan yo vilnerab a pwoblèm sa a CVE-2026-26980API. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG9 ## Ratrapaj ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG10 Administratè yo ta dwe ajou enstalasyon Ghost yo a vèsyon **6.19.1** oswa pita pou rezoud vilnerabilite sa a CVE-2026-26980. Vèsyon sa a gen ladan plak ki byen netralize opinyon yo itilize nan ZXCVFIXVIBETOKEN2ZXCV demann API. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG11 ## Idantifikasyon vilnerabilite ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG12 Idantifikasyon vilnerabilite sa a enplike nan verifye vèsyon enstale pake CVE-2026-26980 kont seri ki afekte (3.24.0 rive 6.19.0) API. Sistèm ki kouri vèsyon sa yo konsidere kòm nan gwo risk pou piki SQL atravè Content ZXCVFIXVIBETOKEN3ZXCV ZXCVFIXVIBETOKEN2ZXCV.

Ghost versions 3.24.0 through 6.19.0 contain a critical SQL injection vulnerability in the Content API. This allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to data exfiltration or unauthorized modifications.

CVE-2026-26980GHSA-w52v-v783-gw97CWE-89

Impact

Ghost versions 3.24.0 through 6.19.0 are susceptible to a critical SQL injection vulnerability in the Content API [S1]. An unauthenticated attacker can exploit this flaw to execute arbitrary SQL commands against the underlying database [S2]. Successful exploitation could result in the exposure of sensitive user data or unauthorized modification of site content [S3]. This vulnerability has been assigned a CVSS score of 9.4, reflecting its critical severity [S2].

Root Cause

The issue stems from improper input validation within the Ghost Content API [S1]. Specifically, the application fails to correctly sanitize user-supplied data before incorporating it into SQL queries [S2]. This allows an attacker to manipulate the query structure by injecting malicious SQL fragments [S3].

Affected Versions

Ghost versions starting from 3.24.0 up to and including 6.19.0 are vulnerable to this issue [S1][S2].

Remediation

Administrators should upgrade their Ghost installation to version 6.19.1 or later to resolve this vulnerability [S1]. This version includes patches that properly neutralize input used in Content API queries [S3].

Vulnerability Identification

Identification of this vulnerability involves verifying the installed version of the ghost package against the affected range (3.24.0 to 6.19.0) [S1]. Systems running these versions are considered at high risk for SQL injection via the Content API [S2].