CVE-2026-26980: Ghost CMS Flaw Hits 700 Sites Including Harvard

Attackers did not break into Harvard University’s website through a zero-day exploit or a nation-state operation. They sent a single crafted API request to a Ghost CMS installation that had not been updated since February 2026. That request extracted the site’s admin API key from the database without any authentication. Within hours, every article page on the site was injecting malicious JavaScript into the browsers of students, faculty and researchers who trusted the domain they were visiting.

The same thing happened to Oxford University, Auburn University and DuckDuckGo. XLab threat intelligence researchers at Qianxin have now confirmed over 700 compromised domains across universities, fintech firms, AI and SaaS companies, media outlets, security sites and personal blogs — all running the same unpatched Ghost CMS vulnerability. CVE-2026-26980 carries a CVSS score of 9.4 Critical. The patch has been available since February 19, 2026. Hundreds of site owners did not apply it.

What CVE-2026-26980 actually does

Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks https://t.co/SG4cEQ15Vg

- Der Cyber Security Hub™ (@TheCyberSecHub) May 25, 2026

What makes this particularly severe is Ghost’s API architecture. The Content API key is embedded directly in Ghost theme HTML by design, making the endpoint effectively unauthenticated from an attacker’s perspective. Any internet-connected Ghost instance running a vulnerable version can be exploited with a single crafted request — no credentials, no social engineering, no insider access required. The attacker sends the request, extracts the admin API key from the database response, and then uses the admin API to modify every published article on the site.

SentinelOne documented active exploitation as early as February 27, 2026 — eight days after the patch was released. The campaign XLab discovered in May represents a significant escalation, with two distinct attack clusters operating simultaneously, sometimes re-infecting the same domains after cleanup, and in some cases one cluster removing the other’s injected code to insert its own.

The ClickFix attack chain

ClickFix is a social engineering technique that bypasses email security, endpoint detection and browser defences simultaneously — because the victim executes the malware themselves. Here is the full chain that plays out on every compromised Ghost site.

The attacker exploits CVE-2026-26980 to steal the admin API key. They use the Ghost Admin API to inject a JavaScript loader at the bottom of published articles. That loader retrieves a second-stage payload from an external domain at runtime, with the payload swappable without modifying the loader — a design that lets attackers adapt what they deliver while maintaining persistence across hundreds of compromised sites. The second-stage script fingerprints the visitor’s browser and decides whether to redirect, display popups, trigger downloads, or serve fake Cloudflare CAPTCHA verification pages.

When the fake CAPTCHA appears, visitors see a professional-looking verification dialog on a website they already trust — a university portal, a security research blog, a fintech platform. The dialog instructs them to copy a command and paste it into the Windows Run dialog to “complete verification.” That command is a dropper. XLab documented three payloads delivered through this chain: DLL loaders, JavaScript droppers, and an Electron-based infostealer named UtilifySetup.exe. The DLL files carried valid code-signing certificates using a PuTTY client, making them harder to flag at the endpoint.

The attack works specifically because it operates through trusted domains. A fake CAPTCHA on an unknown site is suspicious. The same fake CAPTCHA on harvard.edu is not.

Why 700+ sites were still unpatched three months later

Ghost patched CVE-2026-26980 on February 19, 2026. Ghost is actively used by over 100,000 websites, which means the 700+ confirmed compromises represent the visible tip of a much larger unpatched population. The compilation timestamp of a DLL file used in one attack cluster is February 16, three days before the patch was announced — suggesting the attackers had access to pre-disclosure intelligence about the vulnerability.

The patching gap reflects a structural problem that affects every CMS ecosystem: self-hosted installations require active maintenance, and many organisations running Ghost for blogs, newsletters or publishing platforms do not have dedicated security staff monitoring CVE disclosures and applying patches within days of release. Ghost(Pro) hosted installations were patched automatically. Self-hosted installations were not. The attack campaign targeted exactly the organisations that fell between those two categories — large enough to have a valuable trusted domain, not large enough to have automated patch management covering their CMS infrastructure.

Detection: what to look for if you run Ghost

If your Ghost installation ran any version between 3.24.0 and 6.19.0 since February 2026, treat it as potentially compromised regardless of whether anything looks wrong in the admin dashboard. The injected JavaScript loaders typically appear at the bottom of article content but are not always visible through the Ghost editor’s normal view — audit published content at the database level, not through the frontend interface.

Specific indicators to check immediately include suspicious entries in Ghost’s admin API access logs showing API key usage from unfamiliar IP addresses, unexpected JavaScript additions at the bottom of article HTML when viewed at the source level, and outbound requests to external domains from your Ghost installation that are not part of your normal CDN or analytics stack. XLab has published indicators of compromise including script fingerprints for both known attack clusters — the IOC list is available in their full technical report.

Database forensics should examine Ghost logs for SQL queries targeting Content API endpoints with unusual ordering parameters. Any query that attempts to read administrative user tables or session tokens outside normal application workflows is a signal of exploitation attempts whether or not they succeeded.

Response: what to do right now

Updating to Ghost version 6.19.1 or later is the single most important action you can take right now, because this release replaces the vulnerable SQL string interpolation with parameterized query bindings and closes the CVE-2026-26980 attack surface entirely. Once you have upgraded, every credential that was active while the vulnerable version was running needs to be rotated immediately, including your Admin API Key, Content API Key, administrator password and all active session tokens, since any of these may have been silently extracted from your database during the exposure window without leaving obvious traces in your application logs.

Once the upgrade and credential rotation are complete, audit every published article at the database level rather than through the Ghost editor frontend, because injected JavaScript loaders typically sit at the bottom of article HTML in a position the editor’s normal view does not reliably surface. If you find evidence of extensive modification, restore from a clean pre-compromise backup and notify your visitors directly, since the trust relationship that makes ClickFix so effective against them is the same trust relationship you carry an obligation to protect, and transparent disclosure when a compromise is confirmed is both the right response and, depending on your regulatory environment, the legally required one.

As a compensating control while your upgrade is being applied, implement a web application firewall rule specifically targeting SQL injection attempts against Ghost Content API endpoints, and use this incident as the prompt to review how your organisation manages patches for self-hosted web applications more broadly. CVE-2026-26980 was patched on February 19, 2026, and by May 7 attackers had industrialised the exploitation into a fully automated pipeline covering bulk scanning, automatic key extraction, bulk article injection and dynamic payload distribution. The organisations that were not compromised applied that patch within days. The organisations that were compromised did not.

US compliance implications

CISA’s Known Exploited Vulnerabilities catalog and binding operational directive requirements mean that federal agencies and contractors running Ghost CMS must treat CVE-2026-26980 as a mandated remediation with a prescribed timeline. The SEC’s four-day material incident disclosure requirement applies to public companies where a Ghost CMS compromise constitutes a material cybersecurity event, and a trusted domain serving infostealer malware to thousands of users is the kind of incident that meets that threshold.

Healthcare organisations using Ghost for patient-facing communications should evaluate HIPAA implications if database access exposed patient information. Financial services firms whose Ghost installations were compromised face potential GLBA notification obligations and should assess whether customer data was accessible through the Ghost database at the time of exploitation. For organisations in regulated sectors, the remediation checklist above is the starting point, not the complete response.

CybelAngel's Angriffsflächenmanagement platform continuously monitors your web properties and those of your vendors for active vulnerabilities, CMS compromise indicators and malicious content injection, detecting when your websites or your supply chain partners become attack vectors before your visitors are affected. Our threat intelligence team tracks active exploitation campaigns like this one and delivers actionable alerts when your organisation’s infrastructure enters the target scope.

---

FAQs