CVE-2026-26980

Name of the Vulnerable Software and Affected Versions Ghost versions 3.24.0 through 6.19.0

Description A blind SQL injection exists in the Content API of Ghost, a Node.js content management system. This flaw allows unauthenticated attackers to perform arbitrary reads from the database by sending disguised SQL commands via the slug parameter, which is processed using string concatenation instead of parameterized queries. This allows the theft of the master Admin API key.

In real-world incidents, this issue was exploited in a large-scale automated campaign affecting over 700 domains, including high-profile sites like Harvard University, Oxford University, and DuckDuckGo. Attackers used the stolen Admin API keys to bulk-rewrite articles and inject malicious JavaScript loaders. These scripts implemented a "ClickFix" technique, displaying a fake Cloudflare verification prompt via an iframe that tricked users into executing harmful commands on their Windows systems to install malware, including Rust-based DLLs and malicious Electron applications.

The exploitation specifically targets the '/ghost/api/content/tags/' endpoint.

Recommendations Update to version 6.19.1 or later. Rotate all Admin API keys. Manually inspect article content at the database level to identify and remove injected scripts. Review Admin API call logs for unexpected bulk article modification activity. As a temporary mitigation, use a reverse proxy or WAF rule to block Content API requests containing slug%3A%5B or slug:[ in the query string filter parameter.