CVE-2026-26980 is a critical SQL injection vulnerability in Ghost CMS that allows unauthenticated attackers to read arbitrary database data, including admin API keys. With these keys, attackers gain management access to modify website content and inject malicious JavaScript. The injected script loads a second-stage payload that fingerprints visitors to identify targets. Targeted visitors see a fake Cloudflare prompt instructing them to run a command that drops malware payloads such as DLL loaders, JavaScript droppers, or Electron-based malware. The campaign affects a wide range of sites, including prestigious universities and well-known companies. Although a fix was released in Ghost CMS version 6.19.1, many sites have not applied it, enabling ongoing exploitation and reinfection cycles. Mitigation requires patching and rotating exposed keys, plus thorough site cleanup.

Exploitation of this vulnerability allows attackers to steal admin API keys, granting them control over website content and user management. This leads to injection of malicious JavaScript that can compromise site visitors through social engineering, resulting in malware infections. The campaign has compromised hundreds of domains, including high-profile targets, indicating significant risk to both website operators and visitors. Unpatched sites remain vulnerable to repeated infections and ongoing malicious activity.

An official patch addressing CVE-2026-26980 is available in Ghost CMS version 6.19.1 and later; website administrators must upgrade to this version promptly. All previously used admin API keys should be rotated to prevent unauthorized access. A thorough review and removal of injected malicious scripts from affected websites is necessary. Maintaining at least 30 days of admin API call logs is recommended to support retrospective investigations. Users should avoid executing commands from untrusted prompts and be cautious when visiting affected sites. Patch status is confirmed by the vendor advisory.