Critical Ghost CMS Vulnerability Exploited in Large-Scale Malware Campaign A severe SQL injection flaw in the Ghost content management system (CMS), tracked as CVE-2026-26980, has been exploited in a widespread cyberattack compromising over 700 websites, including platforms linked to Harvard University, the University of Oxford, and DuckDuckGo. The campaign, uncovered by Chinese cybersecurity firm QiAnXin’s XLab team, leverages unpatched Ghost installations to inject malicious JavaScript, enabling ClickFix malware attacks. The vulnerability, disclosed and patched in February 2026 (Ghost version 6.19.1), carries a CVSS score of 9.4, reflecting its critical severity. It allows unauthenticated attackers to extract sensitive data including Admin API keys, user credentials, and authentication tokens via Ghost’s Content API. Once obtained, the Admin API key grants attackers the ability to modify published articles and embed malicious code without authorization. Exploitation began almost immediately after the patch’s release, with a DLL file linked to the campaign compiled on February 16, 2026, the same day the fix was announced. The first malicious activity was detected on May 7, 2026, with hundreds of Ghost-powered sites compromised by early May. Victims span AI, blockchain, cybersecurity, fintech, media, SaaS, and higher education, though nearly half were personal blogs or independent sites. Attackers injected two-stage JavaScript loaders into website articles, directing visitors to an external domain (clo4shara[.]xyz/11z77u3.php) to fetch additional payloads. The infrastructure used Adspect, a commercial cloaking service, to fingerprint visitors and selectively deliver malware, evading detection by automated scanners. QiAnXin noted that at least two threat groups are actively competing in these "poisoning operations," with some sites receiving multiple malicious code injections in a single day. Despite notifications, most compromised sites failed to respond, leaving the campaign ongoing. The attack highlights the risks of delayed patching in widely used CMS platforms.

DuckDuckGo Android Browser Patched for Critical UXSS Vulnerability A high-severity vulnerability in the DuckDuckGo browser for Android was recently disclosed, exposing users to Universal Cross-Site Scripting (UXSS) attacks. The flaw, discovered in the browser’s AutoConsent JS bridge, allowed malicious code from untrusted sources to execute on trusted webpages, bypassing the Same-Origin Policy (SOP). Security researcher Dhiraj Mishra reported the issue via HackerOne, revealing that the AutoconsentAndroid Java bridge designed to automate cookie consent pop-ups failed to validate message origins. The bridge accepted commands from any iframe, including cross-origin ones, without authentication, enabling attackers to inject arbitrary JavaScript into the main webpage. A proof-of-concept (PoC) demonstrated the exploit: a hidden malicious iframe could alter the content of a victim page, confirming the SOP bypass. The vulnerability, assigned a CVSS score of 8.6 (High), could have been exploited to steal cookies, hijack sessions, or manipulate website content all without user interaction. DuckDuckGo has since patched the flaw in recent updates to the com.duckduckgo.mobile.android app. The fix ensures the AutoConsent bridge now properly verifies message origins, preventing unauthorized script execution. Users were advised to update to the latest version to mitigate risks.