Hackers Use Ghost CMS Flaw to Infect 700+ Websites With ClickFix Malware

Discover how a critical Ghost CMS flaw (CVE-2026-26980) enabled hackers to infect over 700 sites with malware. Patch and secure your site now.

By Content Team

May 30, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

A critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980) has been exploited by at least two hacker groups to quietly poison over 700 websites with ClickFix malware. First disclosed February 19, 2026, the flaw lets unauthenticated attackers steal Admin API keys and rewrite article content at scale.

Researchers at Qianxin XLab spotted the campaign on May 7. By May 17, compromised sites included Harvard, Oxford, and Auburn University, spanning blockchain, fintech, and media industries. Visitors saw nothing suspicious — malicious JavaScript hid at the bottom of articles, eventually serving a fake Cloudflare verification page that tricked users into running malware themselves.

Ghost CMS admins should patch immediately, rotate all credentials, and audit access logs.

Source: Cyber Security News

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Hackers Target BeyondTrust Flaw Within Hours of Exploit Code Release

Feb 13, 2026

Telnyx Python SDK Hit by Expanding TeamPCP Supply Chain Attack

Mar 30, 2026

Google Patches Two Actively Exploited Chrome Zero-Days

Mar 13, 2026

Trivy Supply Chain Attack Expands With New Compromised Docker Images

Mar 23, 2026