Is Your Ghost CMS
Site Already Compromised?
CVE-2026-26980 is actively exploited. Over 700 Ghost sites — including Harvard and Oxford — had malicious JavaScript silently injected into published articles. DygDog detects it passively in seconds.
Free for up to 3 scans per month. No credit card required.
What DygDog Checks on Ghost Sites
Seven Ghost-specific vulnerability classes, mapped 1:1 to the passive checks DygDog runs against your site.
CVE-2026-26980 Version Check
Detects unpatched Ghost versions vulnerable to unauthenticated SQL injection. The detected version is cross-referenced against the known-vulnerable range and a remediation path is surfaced.
ClickFix Injection Detection
Scans your published posts for malicious JavaScript patterns used in the active attack campaign. DygDog passively fetches publicly visible post content and checks for known ClickFix payloads.
Admin API Key Exposure
Checks public endpoints and config files for leaked credentials. Ghost Admin API keys grant full write access — exposure is treated as critical regardless of other mitigations.
Admin Panel Exposure
Verifies your /ghost/ admin interface is not publicly indexable. An exposed admin login surface broadens the attack area for credential-stuffing and brute-force attempts.
Content API Key Leakage
Detects Ghost API keys exposed in your page source. Content API keys embedded in frontend JavaScript or HTML can be scraped and abused to exfiltrate subscriber data.
Debug Mode Detection
Flags production instances running with debug headers enabled. Debug mode leaks stack traces, internal paths, and configuration details that give attackers a detailed map of your install.
Member Signup Surface
Audits public membership endpoints for unnecessary exposure. Open signup surfaces can be abused for spam, data harvesting, and enumeration of your Ghost instance configuration.
Ghost powers over 100,000 websites. Unlike WordPress, Ghost has almost no dedicated security tooling. The February 2026 SQLi vulnerability gave attackers unauthenticated access to the Admin API — letting them rewrite published articles with ClickFix malware without touching your server. DygDog's passive scanner detects both the unpatched version and the injected content itself, with no login, no agent, and no disruption to your site.
CVE-2026-26980 — Ghost CMS unauthenticated SQL injectionEarn your security badge
Every completed scan generates an embeddable security score badge. Drop it on your README, status page, or footer. Here's what ours looks like:
Show the world you take security seriously
Embed your DygDog score on your README, status page, or marketing site. One-click copy in the snippet format you need.
[](https://dyg.dog)<a href="https://dyg.dog"><img src="https://dyg.dog/api/badge/dyg.dog" alt="DygDog Security Score" /></a>Badge updates automatically after each scan. Clicking it takes visitors to your latest security report.
Frequently asked questions
- Is this scanner safe to run on my Ghost site?
- Yes — DygDog is 100% passive. It sends GET and HEAD requests to publicly reachable URLs only. It never POSTs payloads, never attempts authentication, never modifies state, and never tries to exploit anything it finds. The network footprint is identical to a search engine crawler. You can run it on production without risk.
- Do I need access to my Ghost admin panel?
- No. DygDog scans your site externally over HTTPS — exactly the way an attacker on the public internet would see it. There is no plugin to install, no credentials to share, no admin access required, and no agent to deploy. Enter your domain and the scan completes in about 30 seconds.
- Does DygDog detect injected content from CVE-2026-26980?
- Yes. Beyond version fingerprinting, DygDog fetches your publicly visible post content and checks for known ClickFix JavaScript patterns associated with the February 2026 attack campaign. If malicious scripts were injected via the unauthenticated Admin API exploit, the scanner will surface them as findings — even if the Ghost instance has since been patched.
Run a free Ghost CMS scan
in under 30 seconds
No admin access. No credentials. No agent to install. Enter your domain and get a comprehensive Ghost CMS security report immediately.