A critical SQL injection vulnerability, CVE-2026-26980, in Ghost CMS's Content API is being exploited by threat actors to hijack over 700 websites, injecting malicious JavaScript code to facilitate ClickFix attacks. This vulnerability, with a CVSS score of 9.4, allows unauthenticated attackers to read arbitrary data from the database. QiAnXin XLab has identified the exploitation of this flaw, which was recently disclosed1. The attacks involve injecting malicious code to fuel ClickFix attacks, highlighting the need for immediate attention to this vulnerability. The exploitation of CVE-2026-26980 significantly expands the active attack surface, making it essential for organizations to prioritize mitigation based on their exposure and evidence of exploitation. This vulnerability poses a significant risk to organizations using Ghost CMS, so practitioners should promptly assess their exposure and apply necessary patches to prevent potential attacks.
Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
⚠️ Critical Alert
Why This Matters
CVE-2026-26980 disclosure expands the active attack surface — prioritize based on your exposure and exploitation evidence.
References
- The Hacker News. (2026, May 25). Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks. *The Hacker News*. https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html
Original Source
The Hacker News
Read original →