A critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980) has been exploited by at least two hacker groups to quietly poison over 700 websites with ClickFix malware. First disclosed February 19, 2026, the flaw lets unauthenticated attackers steal Admin API keys and rewrite article content at scale.
Researchers at Qianxin XLab spotted the campaign on May 7. By May 17, compromised sites included Harvard, Oxford, and Auburn University, spanning blockchain, fintech, and media industries. Visitors saw nothing suspicious — malicious JavaScript hid at the bottom of articles, eventually serving a fake Cloudflare verification page that tricked users into running malware themselves.
Ghost CMS admins should patch immediately, rotate all credentials, and audit access logs.
Source: Cyber Security News