Advisories 26 May 2026 / 0 Comments

Ghost CMS SQL Injection Actively Exploited in Large-Scale ClickFix Campaign (CVE-2026-26980)

Scope: Ghost CMS Versions 3.24.0 to 6.19.0

Severity: Red

A critical unauthenticated SQL injection vulnerability (CVSS 9.4) in Ghost CMS's Content API, patched in February 2026 but with widespread failure to update, is being actively exploited by threat actors who steal admin API keys and inject malicious JavaScript into articles that presents visitors with a fake Cloudflare human verification iframe, tricking them into pasting a command into their Windows Command Prompt and dropping DLL loaders, JavaScript droppers, or Electron-based malware onto their systems. XLab researchers confirmed over 700 compromised domains including Harvard, Oxford, and Auburn universities, with at least two distinct attacker clusters observed re-infecting cleaned sites. Ghost CMS administrators must upgrade to version 6.19.1 immediately, rotate all admin API keys, and audit all published articles and themes for injected script tags or unexpected iframe content.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

Ghost CMS SQL Injection Actively Exploited in Large-Scale ClickFix Campaign (CVE-2026-26980)

Drupal Core SQL Injection Under Active Mass Exploitation Added to CISA KEV (CVE-2026-9082)

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

Ghost CMS SQL Injection Actively Exploited in Large-Scale ClickFix Campaign (CVE-2026-26980)

RELATED ADVISORIES

Drupal Core SQL Injection Under Active Mass Exploitation Added to CISA KEV (CVE-2026-9082)

Recent Advisories

Categories