Attackers are using a Ghost CMS bug to hijack websites and show visitors fake verification prompts that can infect their computers. The campaign abuses CVE-2026-26980, a critical unauthenticated SQL injection flaw affecting Ghost 3.24.0 through 6.19.0, to steal admin API keys and inject malicious JavaScript into article pages; researchers say more than 700 domains were hit, including university, media, fintech, and tech sites. Victims who follow the ClickFix instructions paste commands into Windows that download malware.
Why it matters: This affects both website owners and ordinary visitors: unpatched Ghost sites can be silently turned into malware delivery pages, and people browsing them can be tricked into infecting their own systems. Ghost administrators should update to 6.19.1 or later immediately, rotate exposed keys, and check for injected scripts and suspicious admin API activity.
Eduard Kovacs
2026.05.25
98% relevant
This source is a direct update on the same underlying event: active exploitation of Ghost CMS CVE-2026-26980 to compromise websites and inject ClickFix-related malicious JavaScript. It adds concrete scope and victim detail, saying more than 700 sites were hacked, including sites tied to DuckDuckGo, Harvard, and Oxford, and notes at least two groups are competing in the poisoning campaign.
Bill Toulas
2026.05.24
100% relevant
This article establishes a distinct security story by tying active, large-scale exploitation of Ghost CMS CVE-2026-26980 to website compromises and downstream ClickFix malware delivery across more than 700 domains.
← Back to all stories