Ghost CMS versions 3.24.0 through 6.19.0 contain a critical vulnerability allowing unauthenticated attackers to perform arbitrary database reads, risking total data exposure.

The vulnerability allows an unauthenticated attacker to bypass standard access controls to read arbitrary data from the database. This occurs due to insufficient input validation within the Node.js-based content management system's core logic.

The ability to read arbitrary database content poses a severe risk to confidentiality, potentially exposing user credentials, private posts, and configuration secrets. The CVSS score of 9.4 reflects the high impact on data integrity and confidentiality, which could lead to significant reputational damage and regulatory non-compliance.

Immediate Action: Administrators must upgrade Ghost CMS to version 6.19.1 or later to resolve the information disclosure flaw.

Proactive Monitoring: Inspect database access logs for unusual query patterns or high volumes of data requests originating from the CMS application layer.

Compensating Controls: Deploy a Web Application Firewall (WAF) to filter and block suspicious SQL-like injection patterns or unauthorized REST API requests.

Public Exploit Available: No

This vulnerability grants unauthenticated access to the heart of the CMS data layer. Security teams should treat this as a high-priority incident and apply the version 6.19.1 update immediately to prevent unauthorized data exfiltration.