SB20260427162 - Multiple vulnerabilities in Ghost

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) SQL injection (CVE-ID: CVE-2026-26980)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to sql injection in the Content API when processing crafted filter query parameters. A remote attacker can send a specially crafted request to disclose sensitive information.

2) Input validation error (CVE-ID: CVE-2026-29053)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper input validation in the theme installation and processing functionality when handling specially crafted themes. A remote privileged user can install a specially crafted malicious theme to execute arbitrary code.

User interaction is required to install the crafted theme.

Remediation

Install update from vendor's website.

References

• https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97
• https://github.com/TryGhost/Ghost/security/advisories/GHSA-cgc2-rcrh-qr5x