Ghost-Cms

vulnerabilities 2026-05-25
Ghost CMS CVE-2026-26980: Unauthenticated SQL Injection Powers a 700-Site ClickFix Campaign
CVE-2026-26980 is a CVSS 9.4 unauthenticated SQL injection in Ghost's Content API. A patch shipped in February; attackers have since industrialized it into an automated campaign that has hijacked 700+ sites — including Harvard, Oxford, and DuckDuckGo — to serve ClickFix malware.
ghost-cms cve-2026-26980 sql-injection clickfix web-security active-exploitation

Ghost CMS CVE-2026-26980: Unauthenticated SQL Injection Powers a 700-Site ClickFix Campaign