Critical Ghost CMS Vulnerability Exploited to Hack 700+ Websites

A critical SQL-injection vulnerability in Ghost CMS (CVE-2026-26980, CVSS 9.4) disclosed and patched in Ghost 6.19.1 has been actively exploited in a large-scale poisoning campaign that compromised more than 700 sites (including high-profile institutions). Attackers extracted Admin API keys to inject malicious JavaScript loaders that delivered ClickFix social-engineering malware via a cloaking/traffic-distribution domain (clo4shara.xyz) backed by Adspect; exploitation started shortly after the patch and involved multiple competing attacker groups.