Active Exploitation of Ghost CMS SQL Injection (CVE‑2026‑26980) Powers ClickFix Malware Campaign Across 700 Sites
What It Is – A publicly disclosed SQL‑injection flaw in Ghost’s Content API (CVE‑2026‑26980) was patched months ago, but attackers are still abusing unpatched installations to steal the Admin API key and inject malicious JavaScript.
Exploitability – The vulnerability is being actively exploited in the wild; threat‑intel firm Qianxin reports over 700 compromised sites. No public PoC is needed beyond the observed campaign, and the CVSS‑3.1 base score is estimated at 8.6 (High).
Affected Products – Ghost CMS (all versions prior to the February 2026 patch).
TPRM Impact – Any organization that outsources its web presence to a Ghost‑powered site inherits the risk of becoming a malware distribution point, potentially exposing customers, partners, and brand reputation.
Recommended Actions –
- Verify Ghost version on all third‑party sites; immediately upgrade to the latest release that includes the CVE‑2026‑26980 fix.
- Rotate any exposed Admin API keys and revoke unused keys.
- Deploy a Web Application Firewall (WAF) rule to block the specific Content API injection pattern.
- Conduct a content integrity scan for injected scripts on all Ghost sites.
- Add Ghost CMS to your vendor risk inventory and require continuous patch‑management attestations from providers.
Source: Security Affairs – Ghost CMS flaw abused to push ClickFix attacks on hundreds of sites