Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

Threat actors are exploiting CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to inject malicious JavaScript code and fuel ClickFix attacks, affecting over 700 sites.

1. CVE-2026-26980: a critical SQL injection vulnerability in Ghost CMS's Content API
2. Over 700 sites affected, with potential for arbitrary data reading and malicious code injection
3. Attack chain involves exploitation of CVE-2026-26980 to inject malicious JavaScript code
4. Detection opportunity: monitoring for suspicious JavaScript code or SQL injection attempts

T1190: Exploit Public-Facing Application

Apply the latest patch for Ghost CMS to address CVE-2026-26980 and prevent exploitation