Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

2026-05-25

1 min read

by info@thehackernews.com (The Hacker News)

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Threat actors exploit CVE-2026-26980, an SQL injection flaw in Ghost CMS, compromising 700+ sites for ClickFix attacks.

•CVE-2026-26980 (CVSS 9.4) allows attackers to steal admin API keys from Ghost's Content API; discovered by Anthropic using Claude, patched in v6.19.1
•Attackers inject malicious JavaScript loaders into articles via two-stage payloads with Adspect cloaking for evasion
•Victims are tricked by fake CAPTCHA pages into executing Base64-encoded Windows commands
•Final payloads include a signed PuTTY DLL or Electron app polling command servers every 30 seconds for persistence

This summary was automatically generated by AI based on the original article and may not be fully accurate.

Related Articles