Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign
A significant SQL injection vulnerability in Ghost CMS is being exploited in a large-scale ClickFix campaign. The flaw affects numerous domains, including those of prestigious universities and various companies. Website administrators are urged to upgrade to the latest version to mitigate risks and secure their sites.
- ▪The SQL injection vulnerability, identified as CVE-2026-26980, allows attackers to read arbitrary data from the website database.
- ▪More than 700 domains have been impacted, including sites belonging to Harvard and Oxford universities.
- ▪The recommended action for website administrators is to upgrade to Ghost CMS version 6.19.1 or later and rotate all previously used keys.
Opening excerpt (first ~120 words) tap to expand
Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign By Bill Toulas May 24, 2026 10:12 AM 0 A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows. The campaign was discovered by XLab threat intelligence researchers at Chinese cybersecurity company Qianxin, who confirmed impact on more than 700 domains, including university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs. According to the researchers, threat actors planted malicious code on the websites of Harvard University, Oxford University, Auburn University, and DuckDuckGo.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at BleepingComputer.
Discussion
0 commentsMore from BleepingComputer
