Critical SQL Injection (CVE‑2026‑26980) in Ghost CMS Enables ClickFix Attacks on 700+ Sites
What It Is – Ghost CMS (v4.0‑4.5) contains a critical unauthenticated SQL injection (CVE‑2026‑26980) in its Content API. The flaw lets attackers read arbitrary database rows and inject malicious JavaScript into pages served by the CMS.
Exploitability – Public proof‑of‑concepts and active exploitation have been observed. Threat actors are leveraging the vulnerability to deliver ClickFix (ad‑fraud) payloads on more than 700 compromised sites. CVSS 9.4 (Critical).
Affected Products – Ghost CMS (all supported versions prior to the vendor‑released patch on 2026‑05‑15).
TPRM Impact – Organizations that embed Ghost as a third‑party content platform face supply‑chain exposure: compromised sites can be used to siphon ad revenue, damage brand reputation, and expose visitor data to malicious scripts.
Recommended Actions –
- Immediately apply Ghost’s security patch (v4.5.1 or later).
- Conduct a rapid inventory of all Ghost instances across your vendor ecosystem.
- Scan production sites for unauthorized JavaScript injections and remove malicious code.
- Enforce Web Application Firewall (WAF) rules that block suspicious Content API queries.
- Review contracts with agencies that host or manage Ghost‑based sites; add remediation clauses.
Source: The Hacker News