CVE-2026-26980 is a CVSS 9.5 unauthenticated SQL injection in the Ghost CMS Content API affecting all versions from 3.24.0 through 6.19.0, patched in v6.19.1 released February 19, 2026. Active exploitation across 700+ domains has been reported, with attackers extracting admin API keys and injecting malicious JavaScript to redirect site visitors into ClickFix payload delivery. Organizations in education, fintech, and media are confirmed affected.