Ghost CMS SQL Injection Flaw Exploited in Massive ClickFix Campaign
May 26, 2026
A critical SQL injection vulnerability in the popular open-source CMS platform Ghost CMS is being actively exploited in a large-scale campaign that injects malicious ClickFix scripts into websites. Security researchers say attackers have already compromised more than 700 domains, including university portals, SaaS platforms, blogs, and media websites.
The flaw, tracked as CVE-2026-26980, allows unauthenticated attackers to extract sensitive database data, including Admin API keys. Once attackers obtain those keys, they can modify website content and inject malicious JavaScript that tricks visitors into executing PowerShell commands on their own systems.
Vulnerability Overview
Field | Details |
|---|---|
Vulnerability | CVE-2026-26980 |
Severity | Critical (CVSS 9.8) |
Affected Software | Ghost CMS |
Affected Versions | 3.24.0 through 6.19.0 |
Fixed Version | 6.19.1 |
Vulnerability Type | SQL Injection |
Exploitation Status | Actively Exploited |
Attack Goal | Inject malicious ClickFix JavaScript |
Researchers | XLab researchers at Qianxin |
Number of Impacted Domains | 700+ |
How the Attack Works
According to researchers, attackers exploit the SQL injection flaw to retrieve Ghost Admin API keys directly from vulnerable websites. Those API keys effectively grant administrative-level access to the CMS environment.
After obtaining access, threat actors inject malicious JavaScript code into legitimate webpages. The injected code loads fake verification prompts or Cloudflare-style CAPTCHA pages designed to manipulate users into manually running malicious PowerShell commands.
This technique is commonly referred to as a “ClickFix” attack because victims are socially engineered into “fixing” a fake issue themselves.
Technical Details Behind CVE-2026-26980
Researchers say the vulnerability exists within Ghost CMS’s Content API filtering mechanism. Improper sanitization of user-supplied input allows attackers to inject SQL commands through crafted requests.
The flaw impacts both SQLite and MySQL deployments and enables attackers to read arbitrary database content remotely without authentication. Sensitive information exposed may include:
Admin API keys
Session secrets
Password hashes
User credentials
Site configuration data
Security researchers note that proof-of-concept exploits for the vulnerability are already publicly available, increasing the likelihood of additional attacks.
Large-Scale Website Compromises
The campaign reportedly impacted websites across multiple sectors, including:
Universities
AI companies
SaaS providers
Media organizations
Financial technology firms
Security-related websites
Some affected domains reportedly belonged to well-known educational institutions including Harvard, Oxford, and Auburn University.
Researchers also observed multiple attacker groups reinfecting previously compromised websites or replacing competing malicious scripts with their own payloads.
Why ClickFix Attacks Are Dangerous
Unlike traditional malware delivery methods, ClickFix campaigns rely heavily on social engineering. Victims are tricked into voluntarily executing commands themselves, often bypassing traditional security protections.
Typical attack flow includes:
User visits compromised website
Fake verification prompt appears
Victim is instructed to press
Win + RMalicious PowerShell command is pasted
Malware executes locally on victim machine
Because the user manually initiates execution, many endpoint defenses may not immediately flag the activity as suspicious.
Mitigation and Recommended Actions
Organizations running vulnerable Ghost CMS versions should immediately upgrade to version 6.19.1 or later.
Additional security recommendations include:
Rotate all Ghost Admin API keys
Review website content for unauthorized JavaScript injections
Monitor logs for suspicious API requests
Deploy WAF rules blocking malicious filter parameters
Audit user accounts and sessions
Enable continuous integrity monitoring for CMS content
Researchers also recommend scanning websites for unexpected JavaScript loaders or fake CAPTCHA pages that may indicate compromise.
Final Thoughts
The Ghost CMS ClickFix campaign demonstrates how quickly attackers weaponize critical vulnerabilities once public proof-of-concept exploits become available. With hundreds of domains already compromised, organizations running outdated Ghost installations face significant risk if patches are delayed.
The campaign also highlights the growing effectiveness of social engineering-based malware delivery methods that exploit user trust rather than relying solely on technical exploits.
