{
  "title": "Ghost CMS CVE-2026-26980: Critical SQL Injection Leads to Admin Takeover and ClickFix Campaigns",
  "summary": "Attackers are actively exploiting CVE-2026-26980, a critical SQL injection in the Ghost CMS Content API, to extract Admin API Keys. Stolen keys are used to inject malicious JavaScript into published articles, serving ClickFix social engineering payloads to website visitors.",
  "date": "2026-06-11",
  "severity": "critical",
  "tags": [
    "ghost-cms",
    "cisa-kev",
    "sql-injection",
    "clickfix",
    "credential-theft",
    "content-supply-chain"
  ],
  "sources_count": 4,
  "indicators": {
    "slug": "ghost-cms-cve-2026-26980-takeover",
    "since": "2026-06-11T00:00:00Z",
    "until": "2026-06-11T23:59:59Z",
    "ecosystem": "",
    "cves": [
      "CVE-2026-26980"
    ],
    "cwes": [
      "CWE-89"
    ],
    "advisoryIds": [],
    "products": [
      "Ghost CMS"
    ],
    "packages": [
      "ghost"
    ],
    "versions": [],
    "affectedVersions": [
      "3.24.0 to 6.19.0"
    ],
    "fixedVersions": [],
    "files": [
      "UtilifySetup.exe",
      "update.zip",
      "NotepadPlusPlus.zip"
    ],
    "paths": [],
    "services": [],
    "domains": [
      "clo4shara.xyz",
      "com-apps.cc",
      "cloud-verification.com"
    ],
    "urls": [],
    "ips": [],
    "hashes": [],
    "processPatterns": [],
    "networkPatterns": [],
    "telemetrySelectors": []
  }
}