Ghost CMS SQL Injection Flaw (CVE-2026-26980) Exploited in ClickFix Campaign

by Anika Shah - Technology
0 comments

Critical SQL Injection Vulnerability in Ghost CMS Fuels Large-Scale ClickFix Campaign

A significant cybersecurity threat is currently targeting Ghost CMS installations, leveraging a critical SQL injection vulnerability to compromise websites and deliver malicious payloads. Threat intelligence researchers at Qianxin’s XLab have identified a widespread campaign exploiting CVE-2026-26980, which impacts versions of Ghost CMS ranging from 3.24.0 through 6.19.0.

Critical SQL Injection Vulnerability in Ghost CMS Fuels Large-Scale ClickFix Campaign
Critical SQL Injection Vulnerability in Ghost CMS Fuels

The campaign has affected more than 700 domains, including high-profile university portals, fintech firms, media outlets, and various AI and SaaS companies. Researchers have observed threat actors successfully injecting malicious scripts into the websites of institutions such as Harvard University, Oxford University, Auburn University, and DuckDuckGo.

Understanding the Attack Chain

The attack begins by exploiting CVE-2026-26980, which allows unauthenticated attackers to read arbitrary data from the website’s database. By extracting admin API keys, the attackers gain elevated privileges, enabling them to modify article pages and inject malicious JavaScript.

This JavaScript acts as a lightweight loader that fetches a second-stage, cloaked script. This script performs visitor fingerprinting to determine if the user is a viable target. Those who pass the check are presented with a fraudulent Cloudflare-branded prompt—a tactic known as a “ClickFix” attack. The prompt instructs the user to verify their identity by executing a command in the Windows command prompt, which ultimately installs malware on the victim’s system. XLab researchers have documented various payloads associated with this campaign, including DLL loaders, JavaScript droppers, and an Electron-based malware sample identified as UtilifySetup.exe.

Timeline and Remediation

Although a security patch for this vulnerability was released on February 19, 2026, in Ghost CMS version 6.19.1, many site administrators have yet to apply the update. SentinelOne confirmed the active exploitation of this vulnerability in late February, noting that multiple threat clusters are competing to infect or re-infect vulnerable domains.

Timeline and Remediation
Injection Flaw Ghost

Key Takeaways for Administrators

  • Immediate Patching: Upgrade all Ghost CMS instances to version 6.19.1 or later immediately.
  • Credential Rotation: Because the vulnerability allows for the theft of admin API keys, administrators must rotate all existing API keys and secrets to prevent continued unauthorized access.
  • Forensic Review: Conduct a thorough scan of your website for injected scripts and unauthorized modifications.
  • Log Analysis: Researchers recommend maintaining at least 30 days of admin API call logs to assist in identifying past unauthorized activity.

As this campaign continues to evolve, website owners must prioritize rigorous patch management. Failing to secure the underlying CMS infrastructure leaves the door open for attackers to manipulate content and compromise the systems of unsuspecting visitors.

Related Posts

Leave a Comment