Ghost CMS versions 3.24.0 through 6.19.0 contain a critical unauthenticated blind SQL injection in the Content API, confirmed actively exploited and listed in the CISA KEV catalog. Any internet-facing Ghost instance in the affected version range should be treated as compromised until patched to 6.19.1 and post-exploitation artifacts are ruled out. No credentials or special access are required to exploit this vulnerability.