In a nutshell: Cybercriminals are exploiting the SQL-injection vulnerability CVE-2026-26980 in Ghost CMS across over 700 websites to conduct ClickFix attacks. Harvard, Oxford, and DuckDuckGo were also affected. A patch has been available since February but is often not installed.
Cybercriminals are actively exploiting a critical SQL-injection vulnerability in Ghost CMS to infect over 700 websites with malicious JavaScript. Security researchers from Qianxin have identified high-profile targets including Harvard and Oxford as well as DuckDuckGo.
A widespread attack campaign is currently exploiting the critical SQL-injection vulnerability CVE-2026-26980 in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack chains. Researchers from XLab at Chinese cybersecurity firm Qianxin discovered over 700 compromised domains, including university portals, AI and SaaS providers, news platforms, fintech companies, security websites, and personal blogs. The attackers successfully placed malicious code on the sites of Harvard University, Oxford University, Auburn University, and DuckDuckGo.
The vulnerability affects Ghost versions 3.24.0 through 5.0.303. It allows unauthenticated attackers to read arbitrary data from the website’s database, including admin API keys. These keys grant administrative access to users, articles, and themes, and can be abused to manipulate article pages.
A security update was released on February 19 in Ghost CMS version 5.19, but many websites have not installed the update. On February 27, SentinelOne published technical details about the vulnerability, including exploitation methods and detection techniques. The researchers identified at least two separate malware campaigns that repeatedly targeted vulnerable Ghost sites and reinfected or displaced each other with new scripts.