Skip to content
The Nexus
SECURITYMay 24 · 14:12 UTCBLEEPING COMPUTERBill Toulas

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code, enabling ClickFix attack flows. The flaw allows attackers to execute arbitrary SQL commands and compromise affected websites.

Nexus surfaces and summarizes. The full story lives at the source.

Mentioned
Spot something wrong with this article?Report a problem →
Forward this
Related Signal

Adjacent reporting