Critical Ghost CMS Flaw Exploited: 700+ Sites Compromised by Competing Threat Actors

CVE-2026-26980, a critical vulnerability in Ghost CMS, has been exploited to compromise over 700 websites, with platforms associated with Harvard University, the University of Oxford, and DuckDuckGo among the identified targets. At least two rival threat actor groups are currently competing for control of these platforms, injecting malicious JavaScript to fuel ClickFix social engineering campaigns. The flaw, reportedly discovered using Anthropic’s Claude AI, has seen massive exploitation since May 7, 2026.

The Attack Chain: From SQL Injection to Content Hijacking

The CVE-2026-26980 vulnerability resides in the Ghost CMS Content API—the public-facing interface typically used for read-only content delivery. Technical analysis indicates that an unauthenticated SQL injection allows attackers to extract data directly from the site's database. The critical escalation point is the exposure of the Admin API Key. Once this key is obtained, attackers gain access to the Ghost Admin API, which controls the creation and modification of articles.

While Ghost’s architecture separates the public Content API from the protected Admin API, they share the same underlying database. This structural proximity is what makes the flaw so potent: an attack initiated on a public endpoint can propagate laterally until the attacker gains full editorial control. According to SentinelOne, the vulnerability facilitates the unauthenticated extraction of sensitive data from the database.

Current campaigns leverage this chain to inject malicious JavaScript into published posts. The final payload is designed for "ClickFix" attacks—a social engineering technique that tricks visitors into executing malicious code via fraudulent browser or system update prompts. This poses a significant risk not only to the integrity of the compromised site but to the security of every visitor.

A Turf War: Rival Gangs Compete for Ghost CMS Targets

The most striking finding from the QiAnXin XLab analysis is not the scale of the breach, but its competitive nature. Researchers observed at least two threat actor groups operating simultaneously across the same infrastructure of compromised sites, creating a dynamic that resembles a contested market rather than an exclusive occupation.

"At least two groups are currently actively conducting such poisoning operations, and some sites have even become the target of competition between the two parties, with different malicious code being implanted one after another within a single day" — QiAnXin XLab researchers

This reciprocal overwriting of payloads has practical implications. A site compromised by one group may be "re-hijacked" by a second group within hours, with the new attacker deleting or overwriting the predecessor's code. This pattern suggests that Ghost CMS sites have become a high-value commodity for malware distribution, with enough demand to sustain multiple actors fighting over the same assets.

The targeted sectors are diverse, spanning AI, software development, blockchain, cybersecurity, fintech, media, SaaS, and higher education. Approximately half of the 700+ sites on the list are personal blogs or independent platforms, which often have fewer security resources than large corporations. The inclusion of institutional names on the list does not necessarily imply a breach of those organizations' core systems, but rather of associated satellite platforms or blogs.

Timeline and Indicators: The Patch-to-Exploitation Gap

The chronology of the exploit warrants close attention. A DLL file recovered during the campaign carries a compilation timestamp of February 16, 2026—the same day the patch for CVE-2026-26980 was reportedly announced. If this timestamp accurately reflects the attackers' preparation, it suggests the window between patch availability and the start of mass exploitation (May 7, 2026) was several weeks long.

QiAnXin XLab first detected malicious activity on May 7. Despite the vulnerability being theoretically patchable since February, the campaign still managed to reach a massive scale. According to the researchers, the majority of notified victims failed to respond to security alerts.

The discovery of the vulnerability is attributed to Anthropic’s Claude AI system, placing CVE-2026-26980 within the growing trend of AI-assisted security research. It remains unclear whether the discovery resulted from an automated reasoning process or a human review of AI-generated findings.

Analysis and Implications

Current reports do not specify which versions of Ghost CMS are confirmed as patched, nor do they provide specific compromise verification procedures for site administrators. It is also undocumented how many sites have been successfully remediated versus those that remain active hosts for malware.

Furthermore, it is unclear if the February 16, 2026, date refers to an official vendor release or an independent disclosure. Detailed indicators of compromise (IoCs) for the ClickFix payload—such as callback domains or persistence techniques—remain limited, and the original QiAnXin XLab report (presumably in Chinese) has not been independently verified.

Regarding the involvement of Harvard, Oxford, and DuckDuckGo, it is not confirmed that their core infrastructures were breached. The phrasing "platforms associated with" suggests a secondary relationship, such as a hosted blog or a project-specific site, rather than a direct compromise of institutional networks.

However, the phenomenon of threat actors competing for the same compromised sites represents a significant evolution in the malware distribution market. If this trend continues, it indicates that initial access has become a commodity: the primary value no longer lies in the breach itself, but in the ability to monetize it before a competitor seizes control.

Questions & Answers

Is the compromise of Harvard and Oxford confirmed?

Reports refer to "associated platforms," not the core systems of these institutions. These are likely satellite sites or blogs rather than primary infrastructure.

Can visitors protect themselves from the ClickFix payload?

Specific end-user mitigations have not been documented in the current briefs. The exact social engineering mechanics of the ClickFix prompts in this campaign remain unspecified.

Why do sites remain compromised after being notified?

According to researchers, most victims did not respond to notifications. This could be due to communication failures, delays in patching, or a lack of established incident response procedures.

Information is based on cited sources and is current as of the time of publication.

Sources

• https://www.darkreading.com/ics-ot-security/patch-now-critical-flaw-ot-robot-os
• https://thecyberexpress.com/cve-2026-26980-ghost-cms-vulnerability/
• https://thecyberexpress.com/cert-in-12-hour-patching-ai-llm-cyber-threats/
• https://www.darkreading.com/ics-ot-security/patch-now-attackers-target-ot-networks-critical-rce-flaw
• https://app.opencve.io/cve/CVE-2026-8153