TECH NEWS

Ghost CMS flaw hijacked to target hundreds of websites with ClickFix attacks — here's how to stay safe

https://cdn.mos.cms.futurecdn.net/HU8VZ2jkrVAHBpb3Aqqg8j-1920-80.jpg
  • Researchers warn CVE‑2026‑26980, a critical SQL injection flaw in Ghost CMS (score 9.4), is being exploited in a large ClickFix campaign
  • Over 700 domains, including Harvard, Oxford, DuckDuckGo, and major AI/SaaS firms, were compromised to deliver malware via DLL loaders, JS droppers, and Electron‑based payloads
  • Admins should urgently upgrade to Ghost 6.19.1 or later and monitor 30‑day admin API logs to detect potential compromise

A critical-severity vulnerability that reportedly was patched three months ago is being exploited in a massive ClickFix campaign, researchers have claimed.

In mid-February 2026, a critical SQL injection vulnerability was found in Ghost CMS, a popular open-source Content Management System (CMS) currently used by more than 57,000 websites, including the likes of 404 Media, The Canadian government, and Duolingo.

The flaw, tracked as CVE-2026-26980 and affecting Ghost 3.24.0 through 6.19.0, was assigned a severity score of 9.4/10 (critical), as it potentially allows unauthenticated attackers...

Copyright of this story solely belongs to techradar.com. To see the full text click HERE

Read more