Ghost CMS CVE-2026-26980 SQL Injection Powers ClickFix Campaign

A coordinated campaign is actively exploiting a critical SQL injection flaw (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript that drives a ClickFix attack flow. Discovered by XLab threat‑intel researchers at Chinese cybersecurity firm Qianxin, the operation has compromised more than 700 domains, including high‑profile sites such as Harvard University, Oxford University, Auburn University, and DuckDuckGo. The vulnerability affects Ghost versions 3.24.0 through 6.19.0, allowing unauthenticated attackers to read the database and steal the admin API key—a credential that grants full management of users, posts, and themes. Although a patch was released on 19 February in Ghost 6.19.1, a significant number of installations remain unpatched.

The attack chain begins when threat actors exploit CVE-2026-26980 to extract the admin API key, then use the elevated privileges to embed a lightweight JavaScript loader into article pages. This loader contacts the attacker’s infrastructure to fetch a cloaking script that fingerprints each visitor. Users who pass the verification are presented with a fake Cloudflare security prompt displayed via an iframe. The prompt instructs victims to paste a command into their Windows command prompt, a social‑engineering lure known as ClickFix. Execution of the command drops a variety of payloads onto the victim’s system, including DLL loaders, JavaScript droppers, and an Electron‑based malware sample named UtilifySetup.exe.

Mitigation requires immediate action: upgrade to Ghost 6.19.1 or later, rotate any admin API keys that may have been exposed, and conduct a thorough review of site files to locate and remove injected scripts. XLab published a set of indicators of compromise (IoCs) to aid detection, and recommends maintaining at least 30 days of admin API call logs for retrospective analysis. Site owners should also verify that no admin accounts have been compromised in data leaks—use our email breach checker to see if any addresses appear in known breaches. Ensuring credentials are strong and not reused is essential; run a quick password checker on any passwords that might have been exposed. Finally, validate your site’s encryption configuration with our SSL/TLS checker to prevent man‑in‑the‑middle interference that could aid similar attacks.