A vulnerability patched a number of months in the past within the Ghost content material administration system (CMS) has been exploited to hack tons of of internet sites, together with ones belonging to main organizations, based on Chinese language cybersecurity firm Qianxin.
The exploited vulnerability is tracked as CVE-2026-26980 and its existence got here to gentle in February when it was patched.
Ghost is a broadly used open supply CMS designed particularly for running a blog, newsletters, and publishing, providing built-in instruments for memberships, subscriptions, and viewers monetization. In line with its developer, Ghost is actively utilized by over 100,000 web sites.
When CVE-2026-26980 was disclosed, SentinelOne warned that the vulnerability, an SQL injection flaw, may be exploited by unauthenticated attackers to extract delicate information from the Ghost database. The security agency famous that an attacker may acquire authentication tokens, person credentials, and web site content material.
Qianxin reported final week that CVE-2026-26980 has been exploited in mass assaults in opposition to unpatched Ghost situations.
Menace actors leveraged the flaw to acquire the focused websites’ Admin API Key after which used the API to change articles posted on Ghost-powered websites. Particularly, the attackers injected malicious JavaScript loaders designed for ClickFix assaults.
The compilation timestamp of a DLL file used within the assault is February 16, the day a patch was introduced for CVE-2026-26980. Qianxin began seeing compromised web sites in early Might.
The security agency has recognized greater than 700 web sites compromised within the marketing campaign, together with ones belonging to main organizations reminiscent of DuckDuckGo, Harvard College, and Oxford College.
An evaluation confirmed that just about half of the hacked web sites are private blogs and unbiased websites, however dozens belong to software program improvement and tech blogs, AI, cryptocurrency, and varied different forms of entities.
Qianxin has alerted lots of the victims, however stated a overwhelming majority didn’t reply to its notifications.
“At the least two teams are at the moment actively conducting such poisoning operations, and a few websites have even change into the goal of competitors between the 2 events, with totally different malicious code being implanted one after one other inside a single day,” Qianxin stated.
