CVE-2026-22596: Ghost has SQL Injection in Members Activity Feed
(updated )
A vulnerability in Ghost’s /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL.
References
- github.com/TryGhost/Ghost
- github.com/TryGhost/Ghost/commit/cda236e455a7a30e828b6cba3c430e5796ded955
- github.com/TryGhost/Ghost/commit/f2165f968bcdaae0e35590b38fa280ab03239391
- github.com/TryGhost/Ghost/security/advisories/GHSA-gjrp-xgmh-x9qq
- github.com/advisories/GHSA-gjrp-xgmh-x9qq
- nvd.nist.gov/vuln/detail/CVE-2026-22596
Code Behaviors & Features
Detect and mitigate CVE-2026-22596 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →