EarlyNarratives
Pricing
Start free trialSign in
Start free trialSign in
Signal

Ghost CMS vulnerability exploited to compromise over 700 websites

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-05-25 12:02 UTCUpdated 2026-05-25 13:27 UTC
rss
cveexploitsbreachesmalwareincident_response
Trend in the last 24h
Current brief openSource links open
This current signal is open on the public brief with summary, metadata, source links, and full evidence. Pro adds compare-over-time, alerts, exports, and workflow.
BackEvidence (2)Get the free brief by emailStart free trial
No card needed for the free brief.
Evidence trail (top sources)
top sources (2 domains)domains are deduped. counts indicate coverage, not truth.
2 top sources shown
SecurityWeek report on Ghost CMS exploitation
securityweek.com · securityweek.com · 2026-05-25 13:27 UTC
limited source diversity in top sources
View all evidence
Overview

A critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS's Content API is being actively exploited by threat actors to inject malicious JavaScript and conduct ClickFix attacks.

Entities
Ghost CMSHarvard UniversityOxford UniversityDuckDuckGo
Score total
0.98
Momentum 24h
2
Posts
2
Origins
2
Source types
1
Duplicate ratio
0%
Why now
  • The exploitation is ongoing shortly after the vulnerability disclosure, indicating active threat actor interest.
  • Over 700 websites have already been compromised, showing rapid and widespread attack campaigns.
  • High-profile targets like Harvard, Oxford, and DuckDuckGo highlight the urgency for affected organizations to respond.
Why it matters
  • The vulnerability enables unauthenticated attackers to access and manipulate website data, risking user security.
  • High-profile websites being compromised increases the potential impact and visibility of the attacks.
  • Prompt patching and incident response are critical to prevent further exploitation and damage.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
  • Ghost CMS CVE-2026-26980 is actively exploited to inject malicious JavaScript for ClickFix attacks.
  • Over 700 websites, including major universities and DuckDuckGo, have been compromised via this vulnerability.
How sources frame it
  • The Hacker News: neutral
  • SecurityWeek: neutral
All evidence
All evidence
SecurityWeek report on Ghost CMS exploitation
securityweek.com · securityweek.com · 2026-05-25 13:27 UTC
Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
thehackernews · thehackernews.com · 2026-05-25 12:02 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -
Showing 2 / 0
Top publishers (this list)
  • securityweek.com (1)
  • thehackernews (1)
Top origin domains (this list)
  • securityweek.com (1)
  • thehackernews.com (1)