A critical SQL injection vulnerability in Ghost CMS is being actively exploited to deploy malicious JavaScript in a widespread ClickFix campaign. The flaw, tracked as CVE-2026-26980, allows attackers to inject code that triggers fake tech support scams.
Security researchers have identified a large-scale attack campaign leveraging CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS. The exploit chain injects malicious JavaScript that initiates ClickFix attack flows—social engineering schemes designed to trick users into believing their devices are compromised.
The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries against affected Ghost instances. By injecting crafted payloads, threat actors compromise websites and insert malicious code that executes in visitors' browsers.
Once injected, the JavaScript triggers fake security warnings claiming the user's system contains malware or viruses. These alerts prompt victims to call a fake support number or download malicious software, leading to credential theft, financial loss, or system compromise.
Ghost CMS, a popular open-source platform used for blogging and content management, has released patches addressing the vulnerability. The development team recommends immediate updates to all affected instances.
Attack Flow:
- Attacker exploits SQL injection in vulnerable Ghost installation
- Malicious JavaScript inserted into site content
- Victim visits compromised website
- Fake security alert displays
- User contacts fake support or downloads malware
Mitigation Steps:
Affected Ghost users should upgrade to the patched version immediately. Security teams should audit access logs for SQL injection attempts and review injected content across their instances. Website visitors encountering suspicious security warnings should close the browser tab and run legitimate antivirus scans.
The campaign demonstrates the continued threat posed by unpatched CMS vulnerabilities and highlights the effectiveness of combining technical exploits with social engineering tactics. Organizations running Ghost should prioritize security updates as part of standard maintenance protocols.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.