Week in Security: Feb 24 – Mar 2, 2026

Week in Security: Feb 24 – Mar 2, 2026 This was a week where the most interesting stories weren't the loudest ones. No mega-breach, no nation-state drama dominating the feeds — just a steady accumulation of things that matter: a pattern in how projects hide vulnerabilities, a security control that doesn't work, and some hard numbers that turn a vibe into a thesis. The AI tooling threat surface kept expanding in ways that feel inevitable in retrospect. Pay attention to the quiet stuff. The Silent Patch Pattern Is a Policy Choice (Ghost CVE-2026-26980) Ghost shipped v6.19.1 with a fix for a SQL injection in its Content API slug filter — unauthenticated, affecting v3.24.0 through v6.19.0, present for years. No CVE in the release notes. No advisory. No forum post. The fix is real and the root cause is interesting (array notation passed unsanitized to the query builder, fixed with a tight regex validator), but the disclosure is Ghost's standard: route everything through security email, say