Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

A significant cyber campaign is currently leveraging a critical SQL injection vulnerability (CVE-2026-26980) within Ghost CMS to execute the injection of harmful JavaScript code, which subsequently triggers ClickFix attack flows.

This vulnerability was identified by threat intelligence researchers from the Chinese cybersecurity firm Qianxin's XLab, who reported that it has affected more than 700 domains. This includes a wide range of organizations such as university platforms, AI/SaaS providers, media organizations, fintech companies, security websites, and personal blogs.

The researchers confirmed that malicious code has been integrated into the websites of prominent institutions, including Harvard University, Oxford University, Auburn University, and DuckDuckGo.

CVE-2026-26980 affects versions of Ghost from 3.24.0 through 6.19.0, facilitating unauthenticated attackers to retrieve arbitrary data from the affected website's database, which includes sensitive admin API keys.

Such keys grant management access to users, articles, and themes, thus allowing for modifications to article pages.

While a security patch was made available on February 19 in Ghost CMS version 6.19.1, a considerable number of sites have not implemented this crucial update.

On February 27, SentinelOne released details on the exploitation of CVE-2026-26980, outlining how these attacks can be detected. The researchers detected at least two distinct clusters of activity targeting susceptible Ghost sites, with some instances resulting in reinfection of the same domains using various scripts post-cleanup, or one script removing the other to replace it with its own.

Attack chain

The attack methodology observed by XLab begins with the exploitation of CVE-2026-26980 to capture the admin API keys. Following this, the elevated privileges are misused to inject harmful JavaScript into the articles.

The injected JavaScript serves as a lightweight loader that retrieves second-stage code from the attacker's infrastructure, functioning as a cloaking script to fingerprint visitors and ascertain if they meet the criteria for targeting.

Upon verification, the affected visitors are presented with a deceptive Cloudflare prompt, which is loaded via an iframe overlay on the article page, featuring the ClickFix lure.

This page instructs victims to confirm their humanity by entering a specified command into their Windows command prompt, subsequently deploying a payload onto their systems.

XLab has reported the usage of various payloads in these attacks, which include DLL loaders, JavaScript droppers, and an Electron-based malware variant known as UtilifySetup.exe.

Mitigating the risk

To mitigate risks associated with this vulnerability, website administrators operating on Ghost CMS are strongly advised to update to version 6.19.1 or later and to rotate all previously used keys, as these may have been compromised.

XLab has provided a list of indicators of compromise (IoCs), including specific injected scripts, necessitating a comprehensive examination of the websites to identify and eradicate them.

Furthermore, the researchers recommend that website owners maintain a 30-day archive of admin API call logs to facilitate thorough retrospective investigations as needed.