Stories tagged: #sql-injection

> May 26, 2026#cve #ghost-cms

Ghost CMS SQLi (CVE-2026-26980) hijacks 700+ sites — Harvard, Oxford, DuckDuckGo serve ClickFix

An unauthenticated SQL injection in Ghost's Content API leaks admin API keys. Attackers chain it into stored XSS and a fake Cloudflare ClickFix lure. Upgrade to 6.19.1.

> May 24, 2026#cve #drupal

Drupal patches highly critical SQL injection (CVE-2026-9082) — exploited in the wild within 48h

An unauthenticated SQL injection in Drupal core's database abstraction API affects every PostgreSQL-backed site. Drupal scored it 23/25. Attacks started two days after the patch dropped.