Critical Ghost CMS Flaw Actively Exploited

A critical SQL injection flaw in Ghost CMS is being actively exploited to inject malicious JavaScript into websites for click-based attacks.

A critical security vulnerability in the Ghost content management system is being actively exploited by attackers. The flaw, tracked as CVE-2026-26980, is a severe SQL injection vulnerability found within the platform's Content API. It has been assigned a critical severity score of 9.4 out of 10, reflecting its potential for significant damage. A key concern is that an attacker does not need to be authenticated to exploit this weakness, which allows them to read arbitrary data from a target website's database. Security researchers at QiAnXin XLab first reported the active exploitation, observing attackers injecting malicious JavaScript code into compromised sites.

The main objective of these ongoing attacks is to facilitate "ClickFix attacks," a term that suggests a form of ad fraud or malicious traffic redirection. By successfully injecting their scripts, attackers can manipulate user interactions, potentially redirecting visitors to other sites or generating fraudulent ad clicks. This poses a serious risk to any organization running a vulnerable version of the Ghost CMS. The impact extends beyond simple site defacement, potentially leading to sensitive data exposure from the database, significant reputational damage, and a severe erosion of user trust. The vulnerability's location in a core API makes it an urgent and high-priority issue for all administrators.

This is an actively exploited, unauthenticated, critical-severity vulnerability in a popular CMS, putting thousands of websites at immediate risk of data theft and hijacking.

Compromised sites face reputational damage, loss of user trust, and potential legal issues if sensitive user data is exposed through the database.