Thehackernews
Ghost CMS SQL Injection Exploits 700+ Sites in Ongoing ClickFix Campaign
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS is being actively exploited in a large-scale cyberattack affecting over 700 websites, including those of Harvard University, Oxford University, Auburn University, and DuckDuckGo. The vulnerability allows unauthenticated attackers to read arbitrary data from the database, including sensitive admin API keys. Attackers leverage these keys to inject malicious JavaScript into articles, facilitating ClickFix attacks that trick users into executing harmful commands. Despite a patch being released on February 19, 2026, many sites remain unpatched and vulnerable. The campaign was first detected by XLab researchers at Qianxin on May 7, 2026, and has since expanded rapidly. The malicious scripts serve a fake Cloudflare verification prompt, leading victims to inadvertently download malware. The situation is ongoing as of May 25, 2026, with multiple threat actors involved.
Key Points: • CVE-2026-26980 allows unauthenticated access to Ghost CMS databases, affecting 700+ sites. • Attackers inject JavaScript to facilitate ClickFix attacks, using admin API keys for exploitation. • A patch was released on February 19, 2026, but many sites remain unprotected and vulnerable.