Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Ghost CMS CVE-2026-26980 ClickFix campaign

Campaign
First reported
Last updated
Happening score
H score 41
1 unique sources, 1 articles

Summary

Hide ▲

A large-scale campaign is exploiting CVE-2026-26980 in Ghost CMS to plant malicious JavaScript and drive ClickFix lure pages, putting exposed sites and their visitors at risk. XLab says the activity has affected more than 700 domains, including Harvard University, Oxford University, Auburn University, and DuckDuckGo. The flaw impacts Ghost 3.24.0 through 6.19.0, and the fix in 6.19.1 was released on February 19 after many sites failed to update.

Related Happenings

Ghost CMS Content API SQL injection SQL injection flaw (CVE-2026-26980)

Vulnerability
First: 25.05.2026 15:02 Last: 25.05.2026 15:02 Sources 1

About this happening: Threat actors are **actively exploiting CVE-2026-26980** in **Ghost CMS Content API**, creating **SQL injection** risk that can expose database data and enable unauthorized **admi...

Open Happening

CISA KEV listing for Wing FTP CVE-2025-47813

Public Sector Action
First: 17.03.2026 07:23 Last: 17.03.2026 07:23 Sources 1

About this happening: CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...

Open Happening

Ivanti Endpoint Manager (EPM) authentication bypass (CVE-2026-1603)

Vulnerability
First: 10.03.2026 13:36 Last: 10.03.2026 13:36 Sources 1

About this happening: A **high-severity** flaw in **Ivanti Endpoint Manager (EPM)** is now **actively exploited**, putting **remote unauthenticated attackers** in position to **bypass authentication**...

Open Happening

CISA KEV multi-product active exploitation wave (CVE-2020-7796)

Exploitation Wave
First: 18.02.2026 08:52 Last: 18.02.2026 08:52 Sources 1

About this happening: **CISA** expanded its **KEV catalog** with **four actively exploited flaws**, signaling a live exploitation wave across **Chrome, TeamT5 ThreatSonar, Zimbra, and Windows Video Act...

Open Happening

CISA SmarterMail remediation guidance for CVE-2026-24423

Advisory/Mitigation
First: 06.02.2026 19:16 Last: 06.02.2026 19:16 Sources 1

About this happening: **SmarterMail** is at the center of a **CVE-2026-24423** remediation and exploitation wave: the flaw enables **unauthenticated remote code execution** in versions prior to **Build...

Open Happening

Timeline

  1. 24.05.2026 17:12 1 articles · 3d ago

    Ghost CMS 6.19.1 security update

    Mitigation Patch Update

    Ghost CMS released version 6.19.1 on February 19 to fix CVE-2026-26980, a SQL injection flaw affecting Ghost 3.24.0 through 6.19.0 and exposing admin API keys; sites that skipped the update remained vulnerable to malicious JavaScript injection and ClickFix delivery.

    Show sources
    Open in new tab
  2. 24.05.2026 17:12 1 articles · 3d ago

    SentinelOne detection guidance for Ghost CMS exploitation

    Detection Ioc Update

    SentinelOne published detection details on February 27 for CVE-2026-26980 exploitation in Ghost CMS and described at least two activity clusters targeting vulnerable sites, including cases where one cluster cleaned another cluster's script and re-infected the same domains with different payloads.

    Show sources
    Open in new tab
  3. 24.05.2026 17:12 2 articles · 3d ago

    Large-scale Ghost CMS ClickFix campaign

    Initial Disclosure

    XLab threat intelligence researchers at Qianxin discovered a large-scale campaign exploiting CVE-2026-26980 in Ghost CMS to inject malicious JavaScript that drives ClickFix lure pages, confirming impact on more than 700 domains and naming Harvard University, Oxford University, Auburn University, and DuckDuckGo among the affected sites.

    Show sources
    Open in new tab