Ghost CMS Vulnerability Exploited to Hack Over 700 Websites

Summary

A patched SQL injection vulnerability (CVE-2026-26980) in Ghost CMS has been actively exploited to compromise over 700 websites, including those belonging to Harvard University, Oxford University, and DuckDuckGo. Attackers leveraged the flaw to extract Admin API Keys and injected malicious JavaScript loaders for ClickFix attacks. At least two threat groups are competing to compromise the same targets, with exploitation beginning in early May despite the patch being available since February.

Full text

A vulnerability patched a few months ago in the Ghost content management system (CMS) has been exploited to hack hundreds of websites, including ones belonging to major organizations, according to Chinese cybersecurity company Qianxin. The exploited vulnerability is tracked as CVE-2026-26980 and its existence came to light in February when it was patched. Ghost is a widely used open source CMS designed specifically for blogging, newsletters, and publishing, offering built-in tools for memberships, subscriptions, and audience monetization. According to its developer, Ghost is actively used by over 100,000 websites. When CVE-2026-26980 was disclosed, SentinelOne warned that the vulnerability, an SQL injection flaw, can be exploited by unauthenticated attackers to extract sensitive data from the Ghost database. The security firm noted that an attacker could obtain authentication tokens, user credentials, and website content. Qianxin reported last week that CVE-2026-26980 has been exploited in mass attacks against unpatched Ghost instances. Threat actors leveraged the flaw to obtain the targeted sites’ Admin API Key and then used the API to alter articles posted on Ghost-powered sites. Specifically, the attackers injected malicious JavaScript loaders designed for ClickFix attacks. Advertisement. Scroll to continue reading. The compilation timestamp of a DLL file used in the attack is February 16, the day a patch was announced for CVE-2026-26980. Qianxin started seeing compromised websites in early May. The security firm has identified more than 700 websites compromised in the campaign, including ones belonging to major organizations such as DuckDuckGo, Harvard University, and Oxford University. An analysis showed that nearly half of the hacked websites are personal blogs and independent sites, but dozens belong to software development and tech blogs, AI, cryptocurrency, and various other types of entities. Qianxin has alerted many of the victims, but said a vast majority did not respond to its notifications. “At least two groups are currently actively conducting such poisoning operations, and some sites have even become the target of competition between the two parties, with different malicious code being implanted one after another within a single day,” Qianxin said. Related: Drupal Vulnerability in Hacker Crosshairs Shortly After Disclosure Related: Exploitation of Critical NGINX Vulnerability Begins Related: Hackers Targeted PraisonAI Vulnerability Hours After Disclosure Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Eduard Kovacs Canadian Man Arrested for Operating Kimwolf Botnet‘First VPN’ Cybercrime Service Disrupted, Administrator ArrestedTrendAI Patches Apex One Zero-Day Exploited in the WildDrupal Patches Highly Critical Vulnerability Exposing Websites to HackingGoogle’s Surge in Chrome Vulnerability Discoveries Likely Driven by AIAnthropic Silently Patches Claude Code Sandbox BypassReal-World ICS Security Tales From the TrenchesDrupal to Patch Highly Critical Vulnerability at Risk of Quick Exploitation Latest News Oncology Institute Discloses Data Breach266,000 Affected by Data Breach at Radiology Associates of RichmondAnthropic: Mythos Detected 23,000 Potential Vulnerabilities Across 1,000 OSS ProjectsLaravel-Lang Packages Poisoned for Malware DeliveryDocketWise Data Breach Impacts 143,000Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted DomainsDrupal Vulnerability in Hacker Crosshairs Shortly After Disclosure Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the MoveJoe Chen has become Chief Technology Officer at Trellix.Usercentrics has named Pawan Hegde as COO and Elena Ignatova as CPTO.SecureAuth has named Mark van Oppen as Chief Revenue Officer.More People On The MoveExpert Insights Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-26980
• malware — ClickFix malicious JavaScript loaders

Entities