A vulnerability in the Ghost CMS, tracked as CVE-2026-26980, has been exploited to compromise over 700 websites, including major organizations like DuckDuckGo and Harvard University. This SQL injection flaw allows attackers to extract sensitive data, including authentication tokens and user credentials. The attacks began shortly after a security patch was released in February 2026, and threat actors used the exploit to inject malicious JavaScript loaders for ClickFix attacks.
Qianxin, a cybersecurity firm, noted that many affected sites are personal or independent, and at least two groups are competing to exploit the vulnerability.