Data exposed can include bcrypt password hashes, session secrets, and—critically—Admin API keys . Those keys open a much larger door: the Ghost Admin API, which has full authority to create and modify posts, pages, and site content.
The patch arrived quietly in Ghost 6.19.1, but many operators never applied it, leaving the door wide open for exploitation .
Discovered in May 2026 by threat intelligence researchers at Qianxin’s XLab team, the campaign has already poisoned over 700 domains, including highly reputable sites . The confirmed victims include portals owned by Harvard University, Oxford University, Auburn University, and the privacy-focused search engine DuckDuckGo
.
At least two competing threat groups are racing to compromise the same vulnerable sites. In some cases, researchers observed a single Ghost instance injected with one group’s malicious code, only to be reinfected by a rival hours later .
The injected JavaScript is intentionally small; it acts as a two-stage loader that fetches the actual attack logic from an external server . Observed downstream payloads include:
Because the attack chain involves both database reads and authenticated content tampering, remediation must address the vulnerability itself and the downstream damage of a possible compromise.
slug filter parameters, as well as bulk update activity on posts Patches ship fast, but adoption is always the real bottleneck. This campaign is a sobering reminder that high-severity CMS vulnerabilities don’t disappear after disclosure—they become ammunition, and attackers will actively target the organizations that didn’t get the memo.