A critical SQL injection vulnerability in Ghost CMS, tracked as CVE-2026-26980 and assigned a CVSS score of 9.4, is being actively exploited at scale. More than 700 websites running unpatched versions of Ghost have been compromised, with affected domains spanning universities, blockchain platforms, SaaS companies, security research firms, media outlets, and fintech providers. Researchers at XLab first identified active poisoning on May 7, 2026.
What the vulnerability does
The flaw exists in the Content API’s slug filter ordering functionality. Unauthenticated attackers can inject arbitrary SQL syntax through the ordering parameter because the vulnerable code concatenates user-supplied values directly into SQL CASE statements without parameterization. The practical result is that any visitor on the internet can read arbitrary database contents from a vulnerable Ghost installation, including the Admin API Key used to call the Ghost Admin API.
Once an attacker retrieves the Admin API Key, they use the Ghost Admin API to tamper with published articles in bulk, injecting JavaScript loaders that redirect visitors into ClickFix attack flows. ClickFix attacks trick users into executing malicious commands on their own machines by impersonating browser error dialogs or fake CAPTCHA prompts. Sites associated with Harvard University and DuckDuckGo were among those serving the injected payloads before patches were applied.
Affected versions run from Ghost 3.24.0 through 6.19.0. The issue is resolved in version 6.19.1, which replaces the vulnerable string interpolation with parameterized queries.
What organizations running Ghost should do now
Upgrade to Ghost 6.19.1 or later immediately. The patch alone is not sufficient for sites that were running a vulnerable version while accessible to the internet. Credential rotation is required regardless of whether a compromise is visible, because any Admin API Key generated under a vulnerable instance must be treated as exposed. That means rotating the Admin API Key, the Content API Key, all administrator passwords, and active session tokens.
After rotating credentials, audit recently published and edited articles for injected script tags, iframes, or base64-encoded payloads in article bodies. Check server logs for unusual requests to the Content API, particularly any containing CASE or ORDER BY syntax in ordering parameters.
The broader pattern
This campaign is notable because Ghost is widely used by developer communities, independent media, and technical publications, audiences that might plausibly expect a fake Cloudflare verification prompt or a browser error message and act on it. The attackers’ target list is not random: they are after sites with technically literate visitors who may have elevated system access and are less likely to be running consumer-grade endpoint protection.
The incident is also a reminder that content management systems frequently sit outside the patch cadence applied to application code. Organizations that maintain rigorous patching disciplines for their own software deployments often leave CMS infrastructure running for months between updates. For any internet-facing CMS, delayed patching is an exposure that attackers actively target.
If your organization runs Ghost or any other self-hosted CMS and wants help with patching, security hardening, or a review of your web infrastructure posture, contact Excello Digital. We help teams move from vulnerable to defended without disrupting live services.