Researchers warn CVE?2026?26980, a critical SQL injection flaw in Ghost CMS (score 9.4), is being exploited in a large ClickFix campaignOver 700 domains, including Harvard, Oxford, DuckDuckGo, and major AI/SaaS firms, were compromised to deliver malware via DLL loaders, JS droppers, and Electron?based payloadsAdmins should urgently upgrade to Ghost 6.19.1 or later and monitor 30?day admin API logs to detect potential compromiseA critical-severity vulnerability that reportedly was patched three months ago is being exploited in a massive ClickFix campaign, researchers have claimed.In mid-February 2026, a critical SQL injection vulnerability was found in Ghost CMS, a popular open-source Content Management System...