A critical Ghost CMS vulnerability identified as CVE-2026-26980 has been exploited in a widespread cyber campaign that compromised more than 700 websites, including platforms associated with major institutions such as Harvard University, University of Oxford, and DuckDuckGo. Security researchers say the attacks leveraged weaknesses in the Ghost content management system to inject malicious JavaScript code aimed at facilitating ClickFix malware attacks. 

The attacks were detailed by Chinese cybersecurity company QiAnXin and its XLab research team, which warned that threat actors are actively exploiting unpatched Ghost installations in an ongoing “large-scale poisoning” campaign. 
CVE-2026...