Summary
Key Points:
- A critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS is being exploited in a large-scale ClickFix campaign affecting over 700 domains, including notable institutions like Harvard and DuckDuckGo.
- The vulnerability allows unauthenticated attackers to read arbitrary data, including admin API keys, which can be used to inject malicious JavaScript into articles, leading to further exploitation and potential payload delivery.
- Website administrators are urged to upgrade to Ghost CMS version 6.19.1 or later, rotate all previously used keys, and conduct thorough reviews for injected scripts.
Technical Details: CVE-2026-26980 affects Ghost CMS versions 3.24.0 through 6.19.0, allowing attackers to exploit the flaw to access sensitive data and execute malicious scripts.
MITRE ATT&CK Techniques:
- T1190 - Exploit Public-Facing Application (Initial Access)
- T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
- T1059.001 - Command and Scripting Interpreter: JavaScript (Execution)
IOCs Mentioned:
- Malicious JavaScript code
- Injected scripts
- Payloads including DLL loaders and UtilifySetup.exe
This summary provides actionable intelligence for security analysts monitoring for vulnerabilities in web applications, particularly those using Ghost CMS.
Join the discussion — sign up to comment, upvote, and save articles.