This Cybersecurity Threat Advisory has been revised based on a proactive threat hunt by Barracuda Managed XDR, which identified additional indicators of compromise (IOCs) and informed enhanced defensive guidance for customers.
Threat actors are actively exploiting a critical Ghost CMS vulnerability, tracked as CVE-2026-26980, to compromise websites at scale. They steal Admin API keys, inject malicious scripts, and redirect users to fake verification pages that trick victims into running malware. Over 700 sites have been affected, with multiple threat groups involved—making immediate remediation essential for Ghost operators.
What is the threat?
CVE-2026-26980 is a critical SQL injection vulnerability in Ghost CMS’s Content API, with a CVSS score of 9.4. Ghost CMS versions 3.24.0 through 6.19.0 are vulnerable to the critical flaw, fixed in version 6.19.1. Attackers exploit the Content API to extract Admin API keys, inject malicious JavaScript into content, and redirect users to fake Cloudflare CAPTCHA pages that deliver malware.
Indicators of compromise include specific malicious IPs and domains, injected code patterns in content, and endpoint activity such as PowerShell execution followed by rundll32 launching downloaded DLLs—making detection and immediate patching critical.
Why is it noteworthy?
This incident is significant because it affects Ghost, a widely used open-source CMS with more than 100,000 active deployments, including high-profile organizations such as DuckDuckGo, Harvard, and Oxford.
A critical SQL injection flaw in a platform of this scale allows unauthenticated attackers to compromise large numbers of trusted websites. At least two threat groups are actively exploiting the vulnerability—and competing to implant their own payloads—demonstrating both the severity of the flaw and the speed at which attackers weaponize newly disclosed vulnerabilities.
What is the exposure or risk?
The primary risk is twofold: data compromise and content hijacking. Attackers can exploit the SQL injection flaw to extract sensitive data from Ghost databases, including authentication tokens, user credentials, and Admin API keys. With these keys, they can programmatically alter site content and inject malicious loaders, putting visitors at risk of malware infection and downstream compromise.
More than 700 sites have already been compromised, and many remain unresponsive to notification efforts. This creates ongoing risk for both site operators and users, including reputational damage, loss of trust, and abuse of legitimate domains as malware distribution channels.
What are the recommendations?
Barracuda strongly recommends organizations take the following steps to reduce the risk of exploitation and protect critical infrastructure from this and other similar threats.
- Block known malicious IPs
- 144.31.236.66 (active payload delivery)
- 139.84.227.139 (confirmed C2 infrastructure)
- Educate users
- Warn against fake CAPTCHA or “browser verification” prompts
- Emphasize that legitimate checks never require running commands or using keyboard shortcuts
- Patch immediately
- Upgrade Ghost CMS to version 6.19.1 or later to remediate CVE-2026-26980
- Rotate credentials
- Reset all sensitive secrets after patching, including:
- Admin API keys
- Content API keys
- Admin passwords
- Session secrets
- Remove malicious code
- Clean infected content at the database level
- Search for known indicators such as:
ghost_once_footer_atob(appendChild
Review logs for suspicious activity- Bulk PUT requests to the Admin API
- SQL injection attempts targeting
/ghost/api/content/ Retain logs for at least 30 days
- Strengthen defenses
- Distribute code signatures for proactive scanning
- Implement or update WAF rules to block SQL injection attempts
- Enforce least privilege access and secure admin access with:
- VPN
- IP allowlists
- Strong MFA
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html
- https://www.securityweek.com/ghost-cms-vulnerability-exploited-to-hack-over-700-websites/amp/
- https://cybelangel.com/blog/cve-2026-26980-ghost-cms-flaw/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
