Advisories 25 May 2026 / 0 Comments

Ghost CMS SQL Injection Actively Exploited in Large-Scale ClickFix Campaign (CVE-2026-26980)

Scope: Ghost CMS Versions 3.24.0 to 6.19.0

Severity: Red

A critical unauthenticated SQL injection vulnerability (CVSS 9.4) in Ghost CMS's Content API, patched in February 2026 but with widespread failure to update, is being actively exploited at scale by threat actors who use it to silently steal admin API keys, then inject malicious JavaScript into published articles that displays a fake Cloudflare human verification iframe tricking visitors into pasting a command into their Windows Command Prompt, dropping DLL loaders, JavaScript droppers, or Electron-based malware onto their systems. XLab researchers at Qianxin have confirmed over 700 compromised domains including Harvard University, Oxford University, and Auburn University, with at least two distinct attacker clusters observed re-infecting cleaned sites. Ghost CMS administrators must upgrade to version 6.19.1 immediately, rotate all admin API keys, and audit all published articles and themes for injected script tags or unexpected iframe content.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

Ghost CMS SQL Injection Actively Exploited in Large-Scale ClickFix Campaign (CVE-2026-26980)

npm Security Hardening Advisory: 2FA-Gated Staged Publishing and Install Source Controls Now Available

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

Ghost CMS SQL Injection Actively Exploited in Large-Scale ClickFix Campaign (CVE-2026-26980)

RELATED ADVISORIES

npm Security Hardening Advisory: 2FA-Gated Staged Publishing and Install Source Controls Now Available

Recent Advisories

Categories