CVE-2026-26980: Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

8.0CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-26980
Vendor	The Hacker News
Affected Product	Threat Intelligence
Vulnerability Type	Vulnerability
CVSS Score	8.0 (HIGH)
Actively Exploited	✅ Yes
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via thehackernews)

🔬 Technical Analysis

Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks. According to QiAnXin XLab, the activity involves the exploitation of CVE-2026-26980 (CVSS score: 9.4), an SQL injection vulnerability in Ghost's Content API that could allow an unauthenticated attacker to read arbitrary data from the

📚 Advisory References

https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-26980 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →

CVE-2026-26980: Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

📋 Vulnerability Details

🔬 Technical Analysis

📚 Advisory References

Get CVE-2026-26980 Detection Pack

🔗 Related Intelligence