HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Active Exploitation of Ghost CMS SQL Injection (CVE‑2026‑26980) Powers ClickFix Malware Campaign Across 700 Sites

Attackers are leveraging the patched‑but‑unpatched Ghost CMS SQL injection (CVE‑2026‑26980) to steal admin API keys and inject malicious JavaScript. Over 700 websites, including universities and corporate blogs, have been compromised, turning trusted domains into malware delivery vectors. Third‑party risk teams must treat Ghost as a high‑risk supply‑chain component.

LiveThreat™ Intelligence · 📅 May 26, 2026· 📰 securityaffairs.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

Active Exploitation of Ghost CMS SQL Injection (CVE‑2026‑26980) Powers ClickFix Malware Campaign Across 700 Sites

What It Is – A publicly disclosed SQL‑injection flaw in Ghost’s Content API (CVE‑2026‑26980) was patched months ago, but attackers are still abusing unpatched installations to steal the Admin API key and inject malicious JavaScript.

Exploitability – The vulnerability is being actively exploited in the wild; threat‑intel firm Qianxin reports over 700 compromised sites. No public PoC is needed beyond the observed campaign, and the CVSS‑3.1 base score is estimated at 8.6 (High).

Affected Products – Ghost CMS (all versions prior to the February 2026 patch).

TPRM Impact – Any organization that outsources its web presence to a Ghost‑powered site inherits the risk of becoming a malware distribution point, potentially exposing customers, partners, and brand reputation.

Recommended Actions

  • Verify Ghost version on all third‑party sites; immediately upgrade to the latest release that includes the CVE‑2026‑26980 fix.
  • Rotate any exposed Admin API keys and revoke unused keys.
  • Deploy a Web Application Firewall (WAF) rule to block the specific Content API injection pattern.
  • Conduct a content integrity scan for injected scripts on all Ghost sites.
  • Add Ghost CMS to your vendor risk inventory and require continuous patch‑management attestations from providers.

Source: Security Affairs – Ghost CMS flaw abused to push ClickFix attacks on hundreds of sites

📰 Original Source
https://securityaffairs.com/192655/cyber-crime/ghost-cms-flaw-abused-to-push-clickfix-attacks-on-hundreds-of-sites.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →