A vulnerability patched a number of months in the past within the Ghost content material administration system (CMS) has been exploited to hack tons of of internet sites, together with ones belonging to main organizations, in response to Chinese language cybersecurity firm Qianxin.
The exploited vulnerability is tracked as CVE-2026-26980 and its existence got here to gentle in February when it was patched.
Ghost is a extensively used open supply CMS designed particularly for running a blog, newsletters, and publishing, providing built-in instruments for memberships, subscriptions, and viewers monetization. Based on its developer, Ghost is actively utilized by over 100,000 web sites.
When CVE-2026-26980 was disclosed, SentinelOne warned that the vulnerability, an SQL injection flaw, might be exploited by unauthenticated attackers to extract delicate knowledge from the Ghost database. The safety agency famous that an attacker may get hold of authentication tokens, person credentials, and web site content material.
Qianxin reported final week that CVE-2026-26980 has been exploited in mass assaults in opposition to unpatched Ghost situations.
Menace actors leveraged the flaw to acquire the focused websites’ Admin API Key after which used the API to change articles posted on Ghost-powered websites. Particularly, the attackers injected malicious JavaScript loaders designed for ClickFix assaults.
The compilation timestamp of a DLL file used within the assault is February 16, the day a patch was introduced for CVE-2026-26980. Qianxin began seeing compromised web sites in early Might.
The safety agency has recognized greater than 700 web sites compromised within the marketing campaign, together with ones belonging to main organizations comparable to DuckDuckGo, Harvard College, and Oxford College.
An evaluation confirmed that just about half of the hacked web sites are private blogs and unbiased websites, however dozens belong to software program improvement and tech blogs, AI, cryptocurrency, and varied different kinds of entities.
Qianxin has alerted most of the victims, however mentioned a overwhelming majority didn’t reply to its notifications.
“No less than two teams are at present actively conducting such poisoning operations, and a few websites have even grow to be the goal of competitors between the 2 events, with completely different malicious code being implanted one after one other inside a single day,” Qianxin mentioned.
Associated: Drupal Vulnerability in Hacker Crosshairs Shortly After Disclosure
Associated: Exploitation of Crucial NGINX Vulnerability Begins
Associated: Hackers Focused PraisonAI Vulnerability Hours After Disclosure
