Ghost CMS SQL Injection Exploited to Poison 700+ Sites in ClickFix Campaign

By Ash K
Ghost CMS SQL Injection Exploited to Poison 700+ Sites in ClickFix Campaign

The danger in this campaign is not just that Ghost CMS sites are vulnerable. It is that compromised publishing sites are being turned into malware delivery infrastructure for everyone who trusts them.

A large-scale ClickFix campaign is exploiting CVE-2026-26980, a SQL injection vulnerability in Ghost CMS, to steal Admin API keys and poison site content with malicious JavaScript. Qianxin XLab says it has identified more than 700 contaminated domains across universities, AI/SaaS companies, blockchain, media, fintech, security research, and personal publishing sites.

What Happened

CVE-2026-26980 is a SQL injection flaw in Ghost CMS’s Content API. The vulnerability affects Ghost versions 3.24.0 through 6.19.0 and allows unauthenticated attackers to perform arbitrary reads from the database. The issue is tracked as CWE-89 and was fixed in Ghost 6.19.1.

The vulnerability was publicly disclosed in February 2026, but many exposed self-hosted Ghost deployments remained unpatched. XLab says attackers are now exploiting that gap at scale. In observed incidents, attackers used CVE-2026-26980 to obtain a target site’s Admin API key, then abused the Ghost Admin API to modify articles in bulk.

The injected code appears at the bottom of affected pages as a malicious JavaScript loader. From there, the campaign shifts from CMS exploitation to visitor-side social engineering: compromised Ghost pages become staging points for fake Cloudflare-style verification prompts and ClickFix lures.

How the Attack Chain Works

The campaign follows a clean and dangerous sequence:

First, attackers exploit the Ghost Content API SQL injection to read sensitive database content.

Second, they extract the Admin API key, which gives them management-level access to content and site objects.

Third, they use the Admin API to alter articles in bulk, injecting JavaScript loaders into published pages.

Fourth, visitors to poisoned pages are profiled through cloaking logic to decide whether they should receive the next-stage lure.

Fifth, selected visitors see a fake human-verification page, often styled like a Cloudflare check, that instructs them to paste and run a command locally.

Finally, that command downloads and executes malware. XLab and subsequent reporting observed multiple payload types, including DLL loaders, JavaScript droppers, and an Electron-based sample named UtilifySetup.exe.

Why ClickFix Makes This Worse

ClickFix attacks work because they outsource execution to the user. Instead of relying only on a browser exploit, the lure tells the victim to “fix” a verification or access problem by copying a command into a terminal, command prompt, or PowerShell window.

Microsoft has described ClickFix as a technique that uses phishing, malvertising, or compromised websites to bring users to a visual lure and then trick them into executing a malicious command themselves. That extra human action helps the attack bypass some conventional security controls, because the malicious behavior begins with an instruction the user manually runs.

In this campaign, the attackers are not building trust from scratch. They are borrowing it from already legitimate Ghost-powered websites. That matters. A fake CAPTCHA on a random domain is suspicious. A fake verification prompt appearing over a university page, media article, SaaS blog, or security research site has a much better chance of being obeyed.

Why This Stands Out

This is not only a vulnerability exploitation story. It is a supply-chain-adjacent abuse of web publishing trust.

Ghost is widely used for blogs, newsletters, documentation, media properties, community publishing, and business content. Once attackers gain Admin API access, they do not need to deface a site loudly. They can quietly insert code into existing articles and let normal visitor traffic do the distribution work.

XLab’s investigation also found signs of competition between at least two activity clusters. Some sites were reportedly reinfected with different malicious code within the same day, suggesting that multiple operators are racing to control the same vulnerable Ghost deployments.

That turns unpatched CMS instances into contested infrastructure. For defenders, cleanup without patching is temporary. Removing injected JavaScript while leaving the SQL injection exposed simply gives the next attacker a fresh page to poison.

Impact and Exposure

The direct impact on site owners is serious: database exposure, stolen API keys, unauthorized content modification, and potential compromise of site integrity. Depending on stored data and configuration, exposed material may include internal site content, credentials or password hashes, authentication secrets, and API keys.

The downstream impact is broader. Every poisoned page becomes a delivery surface for visitors. That means the victim list is not limited to Ghost administrators. It can include readers, customers, researchers, students, journalists, developers, and employees who land on trusted content and are presented with the ClickFix prompt.

XLab also warned that the credentials and configuration data collected from Ghost CMS environments could support later intrusion attempts against related business systems. That is the quiet risk behind this campaign: attackers may be using the CMS compromise as both a malware delivery platform and an intelligence-gathering opportunity.

Mitigation Guidance

Ghost administrators should upgrade immediately to Ghost 6.19.1 or later. Because CVE-2026-26980 can expose API keys, patching alone is not enough. Administrators should rotate previously used keys, review staff users, inspect integrations, and verify that no unauthorized changes were made through the Admin API.

Site owners should review published articles and templates for injected JavaScript, unfamiliar external script URLs, hidden loaders, iframe overlays, suspicious verification prompts, and code added near the bottom of pages. XLab has published indicators of compromise, including injected script patterns and attacker infrastructure, that defenders should use during cleanup.

As a temporary control where immediate upgrade is blocked, security teams can use a reverse proxy or WAF rule to block suspicious Content API requests containing slug%3A%5B or slug:[ in the query string filter parameter. This should be treated as a stopgap because it can break legitimate slug filter functionality and does not replace the vendor patch.

Defender Takeaways

Security teams should look for two categories of evidence: exploitation of the Ghost API and visitor-side payload delivery.

On the server side, review Ghost access logs for abnormal Content API queries, suspicious use of slug filters, unexpected Admin API activity, sudden bulk article edits, and changes to themes or integrations. On the client-delivery side, monitor pages for injected JavaScript, unfamiliar iframes, fake verification overlays, and traffic to newly registered or low-reputation domains.

Endpoint teams should also treat reports of users pasting commands from a browser prompt as high-priority. ClickFix attacks frequently use living-off-the-land tools and user-driven execution, which can make the first malicious action look like a legitimate local command.

NeuraCyb's Assessment

CVE-2026-26980 shows how quickly a CMS flaw can move from data exposure to active malware distribution. The SQL injection steals the key; the Admin API opens the publishing layer; ClickFix turns trusted pages into execution lures.

The strategic lesson is blunt: public content platforms are not passive assets. When attackers can write to them, they become delivery infrastructure. Ghost site owners should patch, rotate keys, and inspect content as an incident response task — not as routine maintenance.

References

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.