A vulnerability patched a few months ago in the Ghost content management system (CMS) has been exploited to hack hundreds of websites, including ones belonging to major organizations, according to Chinese cybersecurity company Qianxin.
The exploited vulnerability is tracked as CVE-2026-26980 and its existence came to light in February when it was patched.
Ghost is a widely used open source CMS designed specifically for blogging, newsletters, and publishing, offering built-in tools for memberships, subscriptions, and audience monetization. According to its developer, Ghost is actively used by over 100,000 websites.
When CVE-2026-26980 was disclosed, SentinelOne warned that the vulnerability, an SQL injection flaw, can be exploited by unauthenticated attackers to extract sensitive data from the Ghost database. The security firm noted that an attacker could obtain authentication tokens, user credentials, and website content.
Qianxin reported last week that CVE-2026-26980 has been exploited in mass attacks against unpatched Ghost instances.
Threat actors leveraged the flaw to obtain the targeted sites’ Admin API Key and then used the API to alter articles posted on Ghost-powered sites. Specifically, the attackers injected malicious JavaScript loaders designed for ClickFix attacks.
The compilation timestamp of a DLL file used in the attack is February 16, the day a patch was announced for CVE-2026-26980. Qianxin started seeing compromised websites in early May.
The security firm has identified more than 700 websites compromised in the campaign, including ones belonging to major organizations such as DuckDuckGo, Harvard University, and Oxford University.
An analysis showed that nearly half of the hacked websites are personal blogs and independent sites, but dozens belong to software development and tech blogs, AI, cryptocurrency, and various other types of entities.
Qianxin has alerted many of the victims, but said a vast majority did not respond to its notifications.
“At least two groups are currently actively conducting such poisoning operations, and some sites have even become the target of competition between the two parties, with different malicious code being implanted one after another within a single day,” Qianxin said.
Related: Drupal Vulnerability in Hacker Crosshairs Shortly After Disclosure
Related: Exploitation of Critical NGINX Vulnerability Begins
Related: Hackers Targeted PraisonAI Vulnerability Hours After Disclosure
