Ghost CMS flaw abused to push ClickFix attacks on hundreds of sites

Attackers are exploiting the patched Ghost CMS flaw CVE-2026-26980, compromising over 700 unpatched sites, including universities. This vulnerability allows threat actors to push ClickFix attacks. The flaw was fixed months ago, but many sites remain unpatched.

1. Ghost CMS is being exploited through the patched CVE-2026-26980 vulnerability.
2. Over 700 sites, including universities and well-known organizations, are affected, with many still unpatched.
3. Threat actors are pushing ClickFix attacks, which compromise sites and potentially spread malware.
4. Detection opportunities include identifying suspicious traffic patterns and unusual website behavior.

T1190 - Exploit Public-Facing Application

Immediately patch Ghost CMS to the latest version to prevent exploitation of CVE-2026-26980.