6.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-22596

CVE-2026-22596: Ghost has SQL Injection in Members Activity Feed

Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-22596

CVE-2026-22596:

6.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ghost	npm	>= 6.0.0, <= 6.10.3	6.11.0
ghost	npm	>= 5.105.0, <= 5.130.5	5.130.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the EventRepository.getAggregatedClickEvents function, located in ghost/core/core/server/services/members/members-api/repositories/EventRepository.js. The analysis of the patch clearly shows that the postId parameter, which is extracted from the filter argument, was used directly in a SQL query string. This allows for SQL injection if a malicious string is passed as the postId. The fix involves a new function, getPostIdFromFilter, which validates the postId as a valid ObjectID before it is used in the query. The vulnerable function getAggregatedClickEvents would appear in a runtime profile during exploitation of this vulnerability.

Vulnerable functions

EventRepository.getAggregatedClickEvents

ghost/core/core/server/services/members/members-api/repositories/EventRepository.js

The function `getAggregatedClickEvents` in `EventRepository.js` was vulnerable to SQL injection. The `postId` variable, derived from user-controlled filter input, was directly concatenated into a raw SQL query string without proper sanitization. An attacker could provide a malicious `postId` in the filter to execute arbitrary SQL commands on the database.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-22596: Ghost has SQL Injection in Members Activity Feed

CVE-2026-22596:

6.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2026-22596: Ghost has SQL Injection in Members Activity Feed

6.7

6.7

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI