Ghost CMS 攻击导致 700 多个网站受影响
Read, Watch or Listen
More than 700 websites running the Ghost content management system have been compromised through a recently disclosed vulnerability, CVE-2026-26980, according to research by Chinese cybersecurity firm Qianxin XLab reported Monday by SecurityWeek. The flaw affects Ghost versions 3.24.0 through 6.19.0 and allows unauthenticated attackers to read arbitrary database content. Using this access, attackers reportedly obtained Ghost Admin API keys and bulk-edited articles to inject malicious JavaScript loaders enabling ClickFix social engineering attacks. Impacted sites are said to include properties linked to DuckDuckGo, Harvard University and Oxford University. The issue is patched in Ghost version 6.19.1, according to the National Vulnerability Database.
Prepared by Jonathan Pierce and reviewed by editorial team.
Timeline of Events
- 5月7日 钱信XLab检测到页面投毒
- 5月7日 调查将多个Ghost网站联系起来
- 5月7日 攻击者获取Ghost管理员密钥
- 5月7日 注入恶意JavaScript加载器
- 近几周 超过700个Ghost网站被入侵
- 近期 NVD将漏洞评为高危
- 近期 Ghost修复了6.19.1版本中的漏洞
- 周一 SecurityWeek发布了钱信的研究成果
Why This Matters to You
您喜欢的网站可能面临风险。包括 DuckDuckGo 和大学页面在内的 700 多个网站遭到泄露。黑客利用 Ghost CMS 中的一个漏洞读取数据库内容并注入恶意代码。如果您使用这些网站,您的数据可能会被泄露。
The Bottom Line
请始终保持您的软件更新。Ghost 已在其 6.19.1 版本中修补了该漏洞。如果您在 Ghost 上运行网站,请立即升级。请记住,即使是受信任的网站也可能被黑客入侵。在分享个人信息时要谨慎。如果您认识有 Ghost 网站的人,值得转发。
- Articles Published:
- 1
- Right Leaning:
- 0
- Left Leaning:
- 0
- Neutral:
- 1
- Distribution:
- Left 0%, Center 100%, Right 0%
未在源中指定。
未在源中指定。
Coverage of Story:
From Left
No left-leaning sources found for this story.
From Right
No right-leaning sources found for this story.
Comments