Web-Security
Ghost CMS CVE-2026-26980: Unauthenticated SQL Injection Powers a 700-Site ClickFix Campaign
CVE-2026-26980 is a CVSS 9.4 unauthenticated SQL injection in Ghost's Content API. A patch shipped in February; attackers have since industrialized it into an automated campaign that has hijacked 700+ sites — including Harvard, Oxford, and DuckDuckGo — to serve ClickFix malware.
Drupal SA-CORE-2026-004: Highly Critical Unauthenticated SQL Injection Hits PostgreSQL Sites
CVE-2026-9082 is a highly critical SQL injection in Drupal core's database abstraction API. Anonymous attackers can run arbitrary SQL against PostgreSQL-backed sites. Patches dropped May 20; exploitation is expected within days.
Smart Slider 3 Pro Update Infrastructure Compromised — Backdoored Build Pushed to 800K+ WordPress Sites
Attackers compromised Nextend's update servers to distribute a weaponized Smart Slider 3 Pro build containing a multi-layered RAT with credential exfiltration and persistent backdoors.