Ghost CMS SQL Injection Vulnerability Facilitates Large-Scale ClickFix Campaigns
Published
Key Takeaways
- Critical Vulnerability Exploitation: Threat actors are actively leveraging CVE-2026-26980 within Ghost CMS to execute ClickFix attack workflows.
- Extensive Domain Compromise: XLab threat intelligence has identified over 700 affected domains, including high-profile academic institutions and search engines.
- Compromised Execution Chain: Adversaries utilize exfiltrated administrative API credentials to distribute fraudulent Cloudflare verification prompts to end-users.
A large-scale campaign is currently exploiting the critical SQL injection vulnerability CVE-2026-26980 in Ghost CMS to facilitate malicious JavaScript injection and subsequent ClickFix execution flows. Analysis confirms the compromise of over 700 domains across multiple verticals, including higher education portals, enterprise SaaS/AI platforms, financial technology firms, and cybersecurity outlets.
Verified compromises include the public-facing infrastructure of Harvard University, Oxford University, Auburn University, and DuckDuckGo.
Vulnerability Scope and Technical Mechanics
The critical security flaw, CVE-2026-26980, affects Ghost CMS deployments spanning versions 3.24.0 through 6.19.0. This vulnerability permits unauthenticated actors to execute arbitrary data exfiltration, facilitating the theft of administrative API keys.
The attack chain leverages the API keys to inject persistent malicious JavaScript into CMS articles. This script renders a fraudulent Cloudflare verification interface via an iframe, instructing victims to execute specific commands within the Windows Command Prompt, XLab researchers at Qianxin said in a recent report.
“From the current infection situation, the attacker only needs to move the Cloaking domain out of Cloudflare's service, and the attack chain can resume normal operation, with the infected domains immediately becoming accomplices to ClickFix attacks,” the researchers said.
Through this vector, XLab has observed threat actors delivering multiple sophisticated payloads, including DLL loaders, JavaScript droppers, and the Electron-based malware variant UtilifySetup.exe.
Required Remediation Protocols
Despite the release of a formal patch in version 6.19.1 on February 19, a significant number of deployments remain unpatched and vulnerable to exploitation. The researchers said they have contacted impacted sites to notify them of the poisoning.
To secure systems against this campaign, XLabs recommends:
- Urgently upgrade Ghost CMS to the official version that has fixed CVE-2026-26980.
- Rotate all credentials: Admin API Key, Content API Key, administrator password, and Session.
- Clean up implanted content: At the database level (not just the backend editor), bulk-remove <script> code segments in articles that match the above fingerprints.
- Audit access logs: Retain at least 30 days of Admin API call logs, and use IoCs for retrospective investigation.
- Notify users: Recommend that all users who may have visited the site during the contamination period perform local security checks.
In March, ReliaQuest reports outlined a novel DeepLoad malware campaign that uses the ClickFix delivery method, with the payload likely relying on advanced AI-generated evasion, and that ClickFix lures hosted on compromised legitimate websites by the LeakNet ransomware group.
In other recent news, a report found that Google API keys remain usable for up to 23 minutes after deletion.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular