Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
Summary
Threat actors are actively exploiting a critical SQL injection vulnerability, CVE-2026-26980, in Ghost CMS to inject malicious JavaScript. This exploit has already impacted over 700 websites, rerouting them to perform ClickFix attacks.
IFF Assessment
The exploitation of a critical vulnerability that allows for arbitrary data reading and code injection represents a significant threat to websites and their users.
Severity
The CVSS score of 9.4 indicates a critical severity, primarily due to the attack vector (network), the ability to read arbitrary data, and the potential for significant impact on confidentiality and integrity.
Defender Context
This incident highlights the importance of promptly patching Ghost CMS, especially critical vulnerabilities like SQL injection flaws. Defenders should monitor their Ghost installations for signs of unauthorized JavaScript injection and suspicious network activity, as similar attacks targeting other content management systems may emerge.