REPRO-2026-00091 CRITICAL SQLi Verified

Ghost CMS: Unauthenticated SQL Injection in Content API Slug Filter

ghost (npm) Feb 19, 2026

Confidence HIGH

Reproduced in 4m 15s

Tool calls 71

Affected >= 3.24.0, < 6.19.1

Fixed in 6.19.1

What's the vulnerability?

A SQL injection vulnerability existed in Ghost's Content API that allowed unauthenticated attackers to read arbitrary data from the database.

One Command

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00091

or pruva-verify GHSA-w52v-v783-gw97

or pruva-verify CVE-2026-26980

Install: curl -fsSL https://pruva.dev/install.sh | sh

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00091/artifacts/repro/reproduction_steps.sh

chmod +x reproduction_steps.sh

./reproduction_steps.sh

Run in a VM, container, or disposable environment. This exploits a real vulnerability.

Watch the AI agent's step-by-step process.

Loading session...