A security flaw in Ghost CMS is turning trusted websites into traps. Attackers are exploiting a critical SQL injection vulnerability to hijack hundreds of sites and launch a large-scale ClickFix attack against ordinary visitors — people who have no idea the pages they trust have been weaponized.
The vulnerability, tracked as CVE-2026-26980, carries a CVSS score of 9.4. It affects Ghost CMS versions 3.24.0 through 6.19.0. A patch has been available since February 19, 2026, but a significant portion of the installed base never applied it. That gap gave attackers a 95-day window to industrialize exploitation across more than 700 domains.
What Is Ghost CMS and Why Does This Matter
Ghost is an open-source content management system popular with independent publishers, media organizations, universities, and SaaS companies. Because it powers legitimate, established websites, a compromise is particularly dangerous. Visitors have no reason to distrust content on a Harvard research portal or a well-known privacy-focused search engine.
That trust is exactly what this campaign exploits. Among the confirmed compromised sites are Harvard University, Oxford University, Auburn University, and DuckDuckGo. The full list spans AI and SaaS platforms, fintech firms, security outlets, and personal blogs — over 700 domains in total, discovered by XLab threat intelligence researchers at Qianxin.
How the Ghost CMS ClickFix Attack Works
The attack follows a clear multi-stage chain, and it begins without any login credentials.
CVE-2026-26980 sits in the slug filter ordering functionality of Ghost’s Content API. The original code passed user-supplied values directly into SQL statements using string concatenation rather than parameterized queries. This allows an unauthenticated attacker to read arbitrary data from the site’s database — including the admin API key.
Once attackers have that key, they use the Ghost Admin API to modify published articles. They inject a malicious JavaScript loader at the bottom of legitimate pages. The script is not visible to readers browsing normally, but it activates when a real user visits.
The Fake CAPTCHA Trap
The injected code loads a fraudulent Cloudflare verification page inside an iframe. The page looks like a standard “Verify you are human” prompt. It instructs the visitor to open Windows Command Prompt and paste in a command to complete verification.
That command is malware. Executing it delivers one of several observed payloads: DLL loaders, JavaScript droppers, or an Electron-based malware variant called UtilifySetup.exe.
This is what makes a ClickFix attack so effective. Traditional malware relies on automated downloads that browsers and endpoint security tools routinely flag and block. A command pasted manually by a human bypasses most of those controls entirely. The user becomes the delivery mechanism.
Cloaking Makes Detection Harder
The campaign also uses browser fingerprinting to avoid scanners. The injected second-stage script checks visitor characteristics before deciding whether to display the fake CAPTCHA, redirect, trigger a download, or serve clean content. Security crawlers typically see nothing. Real users get the lure.
XLab researchers noted that the cloaking infrastructure ran behind Cloudflare’s proxy service. Moving that domain out of Cloudflare’s network would be enough to resume the attack chain on any site still carrying the injected code.
Why So Many Sites Are Still Vulnerable
The patch for CVE-2026-26980 dropped on February 19, 2026. SentinelOne published detailed exploitation guidance six days later. By May 7, attackers had built a fully automated pipeline — bulk scanning for vulnerable versions, automatic key extraction, mass article injection, and dynamic payload distribution.
This is a familiar pattern in CMS security. A critical unauthenticated flaw gets disclosed, a fix ships, and a large share of operators simply never update. Ghost is self-hosted software, which means patch management falls entirely on the site owner. There is no automatic update mechanism pushing fixes out in the background. Every unpatched installation becomes an open target.
The 95-day exploitation window reflects that operational reality. Attackers do not need to pick targets carefully. Automated scanners identify every reachable vulnerable version and hit them all, regardless of traffic volume or perceived value.
What Ghost Site Owners Must Do Now
If your site runs Ghost CMS version 3.24.0 through 6.19.0 and has not been updated, treat it as compromised until confirmed otherwise.
XLab researchers recommend the following immediate steps:
- Upgrade to Ghost CMS version 6.19.1 or later. This is the only complete fix for CVE-2026-26980.
- Rotate all credentials — the admin API key, content API key, administrator password, and session tokens. Assume any key that existed on an unpatched installation has been read.
- Scrub injected content at the database level, not just through the backend editor. Look for script tags added to the bottom of published articles. The backend interface may not display injected code accurately.
- Audit access logs. Retain at least 30 days of Admin API call logs and review them for unauthorized access patterns. Use available indicators of compromise for retrospective investigation.
- Notify visitors who may have accessed the site during the contamination window. Recommend they run a full malware scan on any Windows machine used to browse the site in that period.
Final Thoughts
The Ghost CMS ClickFix attack campaign is a pointed reminder that two separate problems — an unpatched vulnerability and a social engineering technique — can combine into something far more damaging than either alone. SQL injection hands attackers the keys. ClickFix hands them the user.
No site is too small or too niche to be targeted. The automation behind this campaign does not discriminate. If a site runs a vulnerable version of Ghost, it is in the scanner’s queue. The fix exists, and it has existed for months. Applying it is not optional at this stage — it is urgent.
