Ghost CMS SQLi Exploited, Drupal Core SQLi Active, Cisco 10.0 Fix
Threat researchers uncovered a large‑scale campaign abusing CVE‑2026‑26980, a critical SQL injection flaw in Ghost CMS (CVSS 9.4), to steal admin API keys and inject malicious JavaScript that triggers ClickFix attacks. Over 700 sites, including Harvard, Oxford and DuckDuckGo, were compromised, highlighting the need to upgrade to Ghost 6.19.1 and rotate keys.
The U.S. Cybersecurity and Infrastructure Security Agency added Drupal Core’s CVE‑2026‑9082 SQL injection flaw to its Known Exploited Vulnerabilities catalog, citing active attacks. The bug can let unauthenticated users execute arbitrary SQL, potentially leading to privilege escalation or remote code execution. Immediate patching is urged for all supported Drupal installations.
Cisco released updates for Secure Workload that close a CVSS 10.0 vulnerability (CVE‑2026‑20223). The flaw allowed unauthenticated remote attackers to access internal REST API endpoints and read or modify tenant data with Site Admin privileges. Upgrading to the fixed releases (3.10.8.3 or later) mitigates the issue.
Subscribe free