Ghost CMS Flaw Exploited to Compromise 700+ Websites

Cybercriminals are actively exploiting CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to compromise over 700 websites. The flaw, rated 9.4 on the CVSS severity scale, exists in Ghost's Content API and allows attackers to inject malicious JavaScript code without authentication. This vulnerability is being weaponized to launch ClickFix attacks, a social engineering technique that deceives users into downloading malware. Security researchers at QiAnXin XLab discovered the widespread exploitation campaign. Website administrators using Ghost CMS are urged to apply security patches immediately to prevent unauthorized data access and malicious code injection on their platforms. Source: Security research report.