HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical SQL Injection (CVE‑2026‑26980) in Ghost CMS Enables ClickFix Attacks on 700+ Sites

A critical unauthenticated SQL injection (CVE‑2026‑26980) in Ghost CMS is being actively exploited to inject malicious JavaScript for ClickFix ad‑fraud. Over 700 websites are confirmed compromised, exposing brands to revenue loss and reputational damage. TPRM teams must patch immediately and audit all third‑party Ghost deployments.

LiveThreat™ Intelligence · 📅 May 25, 2026· 📰 thehackernews.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
thehackernews.com

Critical SQL Injection (CVE‑2026‑26980) in Ghost CMS Enables ClickFix Attacks on 700+ Sites

What It Is – Ghost CMS (v4.0‑4.5) contains a critical unauthenticated SQL injection (CVE‑2026‑26980) in its Content API. The flaw lets attackers read arbitrary database rows and inject malicious JavaScript into pages served by the CMS.

Exploitability – Public proof‑of‑concepts and active exploitation have been observed. Threat actors are leveraging the vulnerability to deliver ClickFix (ad‑fraud) payloads on more than 700 compromised sites. CVSS 9.4 (Critical).

Affected Products – Ghost CMS (all supported versions prior to the vendor‑released patch on 2026‑05‑15).

TPRM Impact – Organizations that embed Ghost as a third‑party content platform face supply‑chain exposure: compromised sites can be used to siphon ad revenue, damage brand reputation, and expose visitor data to malicious scripts.

Recommended Actions

  • Immediately apply Ghost’s security patch (v4.5.1 or later).
  • Conduct a rapid inventory of all Ghost instances across your vendor ecosystem.
  • Scan production sites for unauthorized JavaScript injections and remove malicious code.
  • Enforce Web Application Firewall (WAF) rules that block suspicious Content API queries.
  • Review contracts with agencies that host or manage Ghost‑based sites; add remediation clauses.

Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →