Summary

Threat actors are actively exploiting a critical vulnerability in Ghost CMS to conduct ClickFix attacks by injecting malicious JavaScript code. The flaw, identified as CVE-2026-26980, allows attackers to read arbitrary data from the system.

Key Points

• The vulnerability is an SQL injection flaw in Ghost CMS's Content API.
• CVE-2026-26980 has a CVSS score of 9.4, indicating its critical nature.
• Over 700 websites have been compromised through this vulnerability.
• The attacks involve injecting malicious JavaScript to facilitate ClickFix attacks.
• The exploitation was reported by QiAnXin XLab.

Analysis

The exploitation of CVE-2026-26980 in Ghost CMS highlights the ongoing risks associated with SQL injection vulnerabilities, particularly in widely used content management systems. The high CVSS score underscores the potential impact and ease of exploitation, making it a significant threat to web administrators and developers relying on Ghost CMS.

Conclusion

IT professionals managing Ghost CMS should urgently apply patches and review security configurations to mitigate the risk of exploitation. Regular security audits and monitoring for unusual activity are recommended to prevent similar threats.