Home > Vulnerability Database > CVE-2026-22596

Mend.io Vulnerability Database

CVE-2026-22596

Good to know:

Date: January 9, 2026

Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0.

Severity Score

6.7

Related Resources (6)

Url: https://github.com/TryGhost/Ghost/commit/cda236e455a7a30e828b6cba3c430e5796ded955

Url: https://github.com/TryGhost/Ghost

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22596

Url: https://github.com/TryGhost/Ghost/commit/f2165f968bcdaae0e35590b38fa280ab03239391

Url: https://github.com/TryGhost/Ghost/security/advisories/GHSA-gjrp-xgmh-x9qq

Url: https://www.mend.io/vulnerability-database/CVE-2026-22596

Severity Score

6.7

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

Top Fix

Upgrade Version

Upgrade to version ghost - 6.11.0;ghost - 5.130.6;https://github.com/TryGhost/Ghost.git - v5.130.6;https://github.com/TryGhost/Ghost.git - v6.11.0

Learn More

CVSS v3.1

Base Score:	6.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22596

Good to know:

Date: January 9, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?