Home · Live brief · Weekly 2026-W22
CVE-2026-26980 — Ghost CMS unauthenticated blind SQL injection, mass-exploited into a ClickFix infostealer chain
Part of run 2026-W22-da77963d (weekly · Claude Opus 4.8)
If you did nothing this week: self-hosted Ghost CMS instances are being mass-compromised through an unauthenticated blind SQL injection in the Content API slug filter, then weaponised as ClickFix social-engineering pages that serve infostealers to their own visitors.
XLab (Qianxin) and BleepingComputer document a large-scale campaign exploiting CVE-2026-26980 (CVSS 9.4, first covered 2026-05-25, GitHub advisory GHSA-w52v-v783-gw97). The dual-use is what makes this a §1 item rather than a routine SQLi: the same flaw both compromises the publishing platform and turns it into a watering hole. Public-sector, education and media organisations running self-hosted Ghost should patch to the fixed release and check for ClickFix-style injected content and unexpected database reads against the Content API.
“If you did nothing this week: self-hosted Ghost CMS instances are being mass-compromised through an unauthenticated blind SQL injection in the Content API slug filter, then weaponised as ClickFix social-engineering pages that serve infostealers to their own visitors.” — ctipilot v2 brief (migrated)