CVE-2026-26980 is a blind SQL injection in the Content API, rated 9.4, and it lets an unauthenticated attacker read straight out of the database — including the admin API key. The fix shipped in Ghost 6.19.1 back in February. So the news here isn't the bug; it's that XLab now counts 700-plus live victims — university portals and DuckDuckGo among them — still running unpatched on the 3.24 through 6.19 range three months later. With the stolen admin key, the attackers inject JavaScript into articles that kicks off a ClickFix flow — the fake "verify you're human" prompt that talks a visitor into pasting a malicious command into their own terminal. Harvard, Oxford, and Auburn portals were among those caught serving it. If you self-host Ghost, 6.19.1 closes the hole (it swaps raw SQL interpolation for parameterized Knex bindings). Patching the CMS won't un-leak an API key that already walked, though, so rotate that too.