Hackers found a security hole in Ghost CMS, a software that runs websites, and used it to take control of over 700 sites. The flaw is called CVE-2026-26980. Security researchers discovered the hackers were using the hijacked sites to run ClickFix attacks, which is a type of scam that tricks people into giving away passwords and personal information.
Ghost CMS is popular with bloggers and small news sites because it is simple to use. The security hole in the software let attackers break in without needing a real password. Once inside, the hackers could change the website and add their own malicious code that visitors would download.
Website owners and their visitors are at risk. If someone visits one of these hijacked sites, their computer could be infected with malware that steals login information for email, banking, and social media accounts. Website owners who use Ghost CMS may not even know their site was taken over until security experts find it.
Ghost CMS released a security update to fix the hole, but not all website owners have installed it yet. Security companies are working to identify all the hijacked sites so they can notify the owners. People should update their Ghost CMS software right away if they use it, and regular web users should watch out for strange pop-ups or messages asking them to download files from unfamiliar sites.