Is CVE-2026-26980 in the CISA Known Exploited Vulnerabilities catalog?

CVE-2026-26980 is not currently listed in the CISA KEV catalog.

Vulnerability intelligence

CVE-2026-26980

CVE-2026-26980 is a CVSS 9.4 SQL injection in Ghost's Content API. Attackers extract admin API keys without authentication, inject malicious JavaScript into every article, and turn corporate blogs into malware distribution points. The 'modern WordPress alternative' has its own critical flaw.

2026

What WebPulse reported · 1 analysis

Ghost CMS Hacked: 700+ Sites Hijacked for ClickFix Attacks. Harvard, Oxford, DuckDuckGo Among Victims.

CVE-2026-26980 is a CVSS 9.4 SQL injection in Ghost's Content API. Attackers extract admin API keys without authentication, inject malicious JavaScript into eve

June 20, 2026

View CVE-2026-26980 on the NIST National Vulnerability Database →

Related vulnerabilities

CVE-2026-9082 CVE-2026-8206 CVE-2026-48019 CVE-2026-35273 CVE-2026-11645 CVE-2026-8181 CVE-2026-47291 CVE-2026-45657