Ghost CMS SQL flaw exploited in ClickFix malware campaign
Critical vulnerability in popular publishing platform allows attackers to inject malicious JavaScript, triggering social engineering attacks at scale.
A critical SQL injection vulnerability in Ghost CMS is being exploited in a large-scale campaign that injects malicious JavaScript to trigger ClickFix social engineering attacks. The flaw, tracked as CVE-2026-26980, allows attackers to compromise Ghost-powered websites and deploy code that manipulates visitors into executing harmful commands.
Ghost CMS is an open-source publishing platform used by thousands of websites, including media outlets, independent publishers, and corporate blogs. The vulnerability enables attackers to inject arbitrary code into the database through crafted SQL queries, bypassing normal security controls.
The ClickFix technique tricks users into copying and executing malicious commands by presenting fake error messages or system prompts. Once injected into a compromised Ghost site, the malicious JavaScript displays convincing overlays that instruct visitors to run PowerShell commands or other system-level instructions, often under the guise of fixing a technical problem or verifying their identity.
- 01Ghost CMS operators face immediate compromise risk without available patch guidance
- 02Visitors to compromised sites may execute malware through convincing social engineering
- 03Media and publishing organizations using Ghost require urgent security reviews
- 04Enterprises hosting Ghost blogs face potential lateral movement from compromised instances
Ransomware attack executed entirely by AI agent, researchers report
JadePuffer operation marks what may be the first documented case of a fully autonomous LLM-driven ransomware deployment from reconnaissance to encryption.
Agentic AI Executes Multi-Stage Ransomware Attack via Langflow
Demonstration shows large language model agents autonomously combining exploitation techniques with real-time reasoning to conduct complex intrusions without human intervention.
FortiBleed Attackers Monetize Firewall Access Through Ransomware Partnerships
Actors who compromised thousands of Fortinet devices are now collaborating with Inc and Lynx ransomware groups, adding Nextcloud exploitation to their toolkit.