A Ghost CMS SQL injection flaw was exploited in a large ClickFix campaign

The main campaign uses a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers the ClickFix attack.

The campaign was discovered by XLab intelligence researchers at Chinese cyber security company Qianxin, which confirmed the impact on more than 700 domains, including university websites, AI/SaaS companies, media outlets, fintech firms, security websites, and personal blogs.

According to researchers, malicious actors planted malicious code on the websites of Harvard University, Oxford University, Auburn University, and DuckDuckGo.

CVE-2026-26980 affects Ghost 3.24.0 through 6.19.0, and allows unauthorized attackers to read arbitrary data from a website’s database, including administrator API keys.

This key gives administrators access to users, articles, and themes, and can be used to modify article pages.

Although a fix for the problem was released on February 19 in Ghost CMS version 6.19.1, many sites failed to install the security update.

SentinelOne published on February 27 details about the CVE-2026-26980 exploit in the attack and how incidents can be detected. Researchers have seen at least two different sets of operations targeting vulnerable Ghost sites, sometimes re-infecting the same domains with different scripts after cleaning, or one cleaning the other’s script to inject its own.

Attack chain

The attack observed by XLab first used CVE-2026-26980 to steal administrator API keys, then used elevated privileges to inject malicious JavaScript into headers.

The JavaScript code is a lightweight loader that downloads the second-tier code to the attacker’s infrastructure, which is an obfuscating script that fingerprints visitors to determine if they qualify as targets.

Visitors who pass verification are served a fake Cloudflare message loaded in an iframe above the article page, which contains the ClickFix lure.

The page instructs victims to verify they are human by pasting a given command into the Windows command prompt, which crashes their systems.

XLab has seen multiple payloads used in these attacks, including DLL loaders, JavaScript downloaders, and an Electron-based malware sample called UtiifySetup.exe.

To reduce the risk

The most important step for Ghost CMS website administrators is to upgrade to version 6.19.1 or later and rotate all previously used keys, as they may have been exposed.

XLab has provided a list of indicators of compromise (IoCs), including injected scripts, so a thorough review of websites is required to detect and remove them.

The researchers recommend that website owners keep a 30-day record of admin API call logs to enable reliable retrospective investigations.