A vulnerability in Ghost CMS, identified as CVE-2026-26980, is being actively exploited by attackers to compromise over 700 unpatched websites, including educational institutions and organizations. The flaw allows SQL injection attacks that can expose sensitive data, including Admin API keys, enabling site takeovers and malicious modifications of content. Attackers insert JavaScript into web pages, redirecting users to fake verification pages that trick them into downloading malware.
This campaign has been attributed to at least two groups, leading to multiple injections on the same sites. Site owners are urged to update their systems, rotate credentials, and eliminate any injected scripts. Indicators of Compromise (IoCs) were noted in the report.