VYPR
AI Brief2026-05-27· generated May 27, 2026

Ghost CMS Zero-Day Hits 700+ Sites

A critical Ghost CMS SQL injection is actively exploited in a massive ClickFix campaign, while a wave of legacy flaws resurfaces across routers, backup appliances, and surveillance software.

Ghost CMS CVE-2026-26980 is being actively exploited in a large-scale ClickFix campaign that has already compromised over 700 websites. The vulnerability is an unauthenticated SQL injection in Ghost versions 3.24.0 through 6.19.0, allowing attackers to perform arbitrary reads from the database and, as BleepingComputer reported, escalate to credential theft and session hijacking. The campaign, tracked by multiple security vendors, uses compromised Ghost instances to serve fake browser update prompts that deploy ClickFix malware — a social-engineering technique that tricks users into copying and running malicious PowerShell commands. The Hacker News noted that the attackers appear to be scanning for unpatched instances at scale. Ghost released a fix in version 6.19.1; any organization running an earlier version should treat this as an emergency patching priority given the confirmed in-the-wild exploitation.

A critical unauthenticated heap-based buffer overflow in Arcserve Unified Data Protection (CVE-2025-34523) carries a 9.8 CVSS score and an EPSS of 0.01, placing it among the highest-risk entries in today's window. The flaw resides in the network-facing input handling routines of Arcserve UDP and is reachable without any authentication, making it trivially exploitable from the network perimeter. Arcserve UDP is widely deployed for enterprise backup and disaster recovery, meaning a successful exploit could give attackers a beachhead inside critical infrastructure with access to backup data stores. Organizations running Arcserve UDP should verify whether a patch is available and isolate the management interface from untrusted networks until one can be applied.

Several legacy vulnerabilities with high EPSS scores signal active scanning or exploitation campaigns targeting aging software. CVE-2012-10060, a stack-based buffer overflow in Sysax Multi Server's SSH service (CVSS 9.8, EPSS 0.69), allows unauthenticated remote code execution via an overly long username during SSH authentication — a classic vector that attackers continue to weaponize against exposed instances. CVE-2012-10047, a SQL injection in Cyclope Employee Surveillance Solution (EPSS 0.53), and CVE-2013-10068, a stack buffer overflow in Foxit Reader's NPAPI plugin (EPSS 0.59), round out the legacy cluster. CVE-2012-10027, an unauthenticated file upload in the WordPress WP-Property plugin (EPSS 0.74), is particularly concerning given the massive attack surface of WordPress and the plugin's ability to yield full server compromise via uploaded PHP shells.

A cluster of router and IoT vulnerabilities underscores the persistent risk to edge and embedded devices. CVE-2013-10050 (CVSS 8.8, EPSS 0.65) is an authenticated OS command injection in multiple D-Link router models including the DIR-300 and DIR-615, exploitable through the tools_vct.xgi CGI endpoint. CVE-2026-0625 affects a broader set of D-Link DSL/DIR/DNS devices with an authentication bypass in the dnscfg.cgi endpoint, allowing unauthenticated attackers to modify DNS configuration — a powerful vector for traffic interception and phishing redirection. CVE-2026-41922 (CVSS 9.8) is an unauthenticated OS command injection in the WDR201A WiFi Extender's wireless.cgi binary. Many of these devices are end-of-life and will never receive patches, making network segmentation and replacement the only viable mitigations.

Supply-chain and open-source vulnerabilities add to the patching burden. CVE-2021-47952 (CVSS 9.8) affects python jsonpickle 2.0.0, allowing RCE via deserialization of malicious JSON payloads containing py/repr objects — a critical finding for any Python application using jsonpickle to deserialize untrusted data. CVE-2026-31217 is an arbitrary code execution vulnerability in the optimate project's neural_magic_training.py script, triggered when a user supplies a crafted model directory path. CVE-2026-22208 (CVSS 9.6) affects OpenS100, the reference implementation of the S-100 maritime data standard, via an unrestricted Lua interpreter that lacks sandboxing — a niche but potentially high-impact finding for maritime navigation systems. CVE-2020-36851 affects the Rob--W cors-anywhere open proxy, allowing SSRF attacks against internal networks when instances are misconfigured as open proxies.

Additional critical vulnerabilities in enterprise and surveillance software warrant attention. CVE-2025-34163 is an unauthenticated arbitrary file upload in Dongsheng Logistics Software, allowing attackers to upload executable scripts via the /CommMng/Print/UploadMailFile endpoint. CVE-2025-34162 is an unauthenticated SQL injection in the Bian Que Feijiu Intelligent Emergency and Quality Control System, a medical-sector application that could expose sensitive patient data. CVE-2025-34186 (CVSS 9.8) affects Ilevia EVE X1/X5 Server versions up to 4.7.18.0, where unsanitized input is passed to a system() call during authentication, enabling command injection. CVE-2026-31216 is an unauthorized file deletion vulnerability in nexent v1.7.5.2's storage API, which could be used to sabotage backup or archival systems. CVE-2020-37002 (CVSS 9.8) is a post-authenticated RCE in Ajenti 2.1.36 via the /api/terminal/create endpoint.

Synthesized by Vypr AI