Joomla, Ghost CMS, and SharePoint: Three Patches Your Business Cannot Afford to Skip This Week
Over 700 websites are currently serving malware to their visitors. The owners of those websites almost certainly do not know. The attack exploited a vulnerability in Ghost CMS, a platform widely used by small businesses and independent publishers for websites and newsletters. The patch has been available. The exploitation happened anyway.
That is today’s signal. Not a theoretical risk. An active, measured campaign.
This week produced three vulnerability disclosures that matter directly to UK small businesses. Not because of their CVSS scores, though those are severe. Because of what each one actually means for a business with a website, a file-sharing system, or a standard Microsoft 365 deployment.
Story One: Ghost CMS Is Being Actively Exploited Right Now
CVE-2026-26980 is a critical SQL injection flaw in Ghost CMS, the open-source platform used by thousands of small businesses and independent publishers for websites, blogs, and newsletters.
The flaw has been weaponised. Two distinct threat actor groups have used it to silently compromise more than 700 websites and inject malicious JavaScript. That JavaScript delivers what researchers call ClickFix malware to every person who visits those sites. Visitors do not need to click anything suspicious. They visit a website they trust and receive malware.
SQL injection means an attacker can send crafted input to a database query and manipulate it to extract data, modify records, or in this case, plant code. The attack does not require stealing credentials or social engineering anyone. It goes directly at the application.
What this means for your business: If your website runs Ghost CMS, treat it as potentially compromised until you have verified your version and applied the patch. Check your Ghost version against the published fix. Audit any JavaScript loaded by your site. If you have a managed website provider, ask them today what version they are running and when it was last updated. Do not accept “we handle updates” as an answer. Ask for the version number.
The collateral damage here extends beyond the website owner. Every visitor to a compromised site is at risk. If your clients visit your website and you are running an unpatched Ghost installation, you are a vector into their systems. That is a supplier risk conversation, and it cuts both ways.
Story Two: Joomla Has Three Critical Privilege Escalation Flaws
Joomla, one of the most widely deployed content management systems for small business websites globally, published three separate vulnerabilities this week, all scored 9.8 out of 10 on the CVSS severity scale.
CVE-2026-48898 and CVE-2026-48899 both describe improper access checks that allow privilege escalation through the com_users batch task. CVE-2026-48904 describes a similar flaw through the com_users group editing webservice endpoint.
Privilege escalation means an attacker who already has a low-level account on your Joomla system, a subscriber account, a contributor account, any authenticated access, can elevate themselves to administrator. From there, they can modify your site, extract your user database, install backdoors, or redirect visitors to malicious content.
Three separate flaws in the same user management component is not a coincidence. It suggests the underlying access control logic in that component has structural problems, not isolated bugs.
The scoring matters here. A CVSS score of 9.8 out of 10 places these vulnerabilities in the critical tier. They require no special conditions to exploit. Any authenticated user, including someone who created a free account on your site to leave a comment, can potentially leverage these flaws.
What this means for your business: If your website runs Joomla, apply the patch immediately. Do not schedule it for next week’s maintenance window. Log in to your Joomla admin panel, check your current version, and update. While you are there, review your user list. Remove any accounts that should not be there. Disable user self-registration if you do not need it. That removes one avenue of attack.
If an MSP or web developer manages your Joomla site, contact them today and confirm the patch has been applied. Get it in writing.
Story Three: Microsoft SharePoint Server Needs Patching
CVE-2026-45659 is a remote code execution vulnerability in Microsoft SharePoint Server, affecting multiple versions of the platform. The flaw involves deserialisation of untrusted data, a class of vulnerability where an attacker sends crafted data that the server processes in a way that executes attacker-supplied code.
The CVSS score is 8.8. The key detail from the research is that exploitation requires only an authenticated attacker with minimal permissions. No administrator access required. A standard user account is sufficient.
SharePoint is used extensively by UK small businesses as a file-sharing and collaboration platform, often as part of Microsoft 365. If your business uses SharePoint Server (the on-premises version, not purely the cloud-hosted SharePoint Online), this vulnerability applies to you.
The distinction matters. SharePoint Online, the cloud-hosted version within Microsoft 365, is patched by Microsoft automatically. SharePoint Server, installed and managed on your own infrastructure or by your IT provider, requires you or your provider to apply the patch.
If you are unsure which version you use, ask your IT provider or MSP. The answer to “do we run SharePoint Server on-premises” is not a technical question. It is an asset management question. You should know what infrastructure your business runs.
Microsoft has released patches across the affected server versions. Apply them.
Why Patching Lags, and Why That Argument Does Not Hold
The standard justification for delayed patching in small businesses is operational risk: we cannot take systems offline, updates break things, we will do it in the next maintenance window.
The data from the Ghost CMS exploitation punctures that argument. The 700+ compromised websites were not attacked by sophisticated nation-state actors using novel techniques. They were attacked through a known SQL injection flaw by criminal groups running automated tooling. The attack does not care about your maintenance schedule.
The operational risk of patching is real. The operational risk of not patching is also real, and it is measurable: 700 websites currently serving malware to their visitors, with owners who do not yet know.
The calculus is straightforward. Test the patch in a staging environment if you have one. Apply it to production. Document that you did it. The alternative is documented negligence in the event of a breach and a conversation with the ICO about why you knew about a critical vulnerability and did not act.
How Staying Current Gives You a Competitive Edge
Supplier security questionnaires are increasingly common in UK procurement. Larger organisations asking about your security posture will ask about patch management. Being able to demonstrate a documented, timely patching process is a concrete differentiator.
More immediately: if your business website is clean while competitors running unpatched Ghost or Joomla installations are serving malware to visitors, you are protecting your client relationships by default. That is not a small thing. A client who visits your website and receives malware because you did not apply a free patch will not easily distinguish between negligence and malice. The outcome is the same: trust destroyed.
For businesses seeking or renewing Cyber Essentials certification, patch management within 14 days of a critical update is a core requirement. These three vulnerabilities, all with patches available, are exactly the kind of test case that certification assessors look at.
Making the Business Case for Patch Management
Three arguments for your board or senior leadership:
The cost of patching is low; the cost of not patching is high. Applying these patches requires time, not money. The cost of a breach involving a compromised website, including ICO notification obligations, client communication, forensic investigation, and reputational damage, is substantially higher. The Ghost CMS exploitation across 700 sites illustrates the scale of collateral damage from a single unpatched vulnerability.
Regulatory exposure is real. The ICO does not require that you prevent every possible breach. It does require that you take reasonable technical measures to protect personal data. Knowingly operating software with a published critical vulnerability and available patch is difficult to characterise as a reasonable measure. If personal data is exfiltrated through an unpatched Joomla or SharePoint system, the patch timeline will be examined.
Supplier risk flows in both directions. Your clients are increasingly asking about your security posture. Your website is part of that posture. A compromised website that serves malware to clients is a supplier security incident. It is your incident, regardless of which CMS you run.
What to Do Before the End of This Week
-
Identify what your website runs. Log in to your website’s admin panel or ask your developer. Establish whether it is Joomla, Ghost, WordPress, or another platform, and what version. Write it down. This is basic asset management.
-
Check for available updates and apply them. Joomla and Ghost both have update mechanisms built into their admin panels. If you cannot access these yourself, contact your web developer or hosting provider today. Confirm the patch has been applied and get the confirmation in writing.
-
Determine whether you run SharePoint Server on-premises. If you do, confirm with your IT provider that the May 2026 patches have been applied. If you run Microsoft 365 with SharePoint Online only, you are not directly affected by this specific CVE.
-
Audit your website user accounts. For Joomla sites particularly: review who has accounts on your website. Remove dormant or unnecessary accounts. Disable public self-registration if you do not actively use it. This reduces the attack surface for the privilege escalation flaws.
-
Ask your MSP or hosting provider for a patching confirmation. Not a verbal assurance. A written confirmation of the version numbers currently running and the date the patches were applied. If they cannot provide this, you have identified a gap in your managed service that needs addressing.