Ghost CMS SQL Injection Flaw Exploited in Large-Scale ClickFix Campaign
A critical SQL injection vulnerability in Ghost CMS is being actively exploited in a large-scale campaign to inject malicious JavaScript and redirect users to fake CAPTCHA pages that deliver malware.

A large-scale campaign is actively exploiting CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to inject malicious JavaScript that triggers ClickFix attack flows. The flaw allows unauthenticated attackers to execute arbitrary SQL queries, enabling the injection of JavaScript payloads into database-stored content. This campaign targets Ghost CMS instances to redirect users to fake CAPTCHA pages that deliver malware.
The vulnerability, tracked as CVE-2026-26980, carries a CVSS score of 9.8, indicating critical severity. It affects Ghost CMS versions prior to the latest patch. The flaw resides in the database abstraction layer, allowing attackers to inject malicious SQL queries without authentication. Once exploited, attackers can modify database content to include JavaScript that executes when pages are rendered.
The ClickFix attack flow is a social engineering technique where users are presented with a fake CAPTCHA verification page. When users click the verification button, they inadvertently execute malicious commands that download and install malware. In this campaign, the injected JavaScript redirects visitors to these fake CAPTCHA pages, leading to infections.
Ghost CMS is a popular open-source content management system used by over 2 million websites, including many media and publishing outlets. The widespread use of Ghost makes this campaign particularly dangerous. Security researchers have observed thousands of compromised Ghost instances, with the campaign scaling rapidly over the past week.
Ghost (the company) has released a security patch addressing CVE-2026-26980. Users are strongly advised to update to the latest version immediately. Additionally, administrators should review their Ghost instances for signs of compromise, such as unexpected JavaScript in database content or unusual redirects. The Cybersecurity and Infrastructure Security Agency (CISA) has not yet added this vulnerability to its Known Exploited Vulnerabilities catalog, but given active exploitation, an addition is likely.
This campaign highlights the ongoing threat of SQL injection vulnerabilities, even in modern CMS platforms. The combination of a critical flaw with social engineering techniques like ClickFix demonstrates the evolving tactics of cybercriminals. Organizations using Ghost CMS should prioritize patching and monitor for suspicious activity to mitigate the risk of compromise.
QiAnXin XLab has now identified over 700 compromised Ghost CMS sites, attributing the campaign to unauthenticated exploitation of CVE-2026-26980 (CVSS 9.4). The attackers inject malicious JavaScript via the SQL injection flaw in the Content API, redirecting victims to fake error pages that prompt them to run PowerShell commands in a ClickFix attack chain. No patch has been released for the vulnerability as of the latest report.
Qianxin reports that more than 700 websites have now been compromised, including high-profile targets such as DuckDuckGo, Harvard University, and Oxford University. The attackers used the Admin API key obtained via CVE-2026-26980 to inject malicious JavaScript loaders for ClickFix-style attacks. Notably, at least two distinct threat groups are competing to poison the same compromised sites, sometimes implanting different malicious code within a single day.
New details reveal the campaign exploited over 700 Ghost-powered websites, primarily belonging to universities and tech firms, far exceeding earlier estimates. Researchers at Malwarebytes confirmed the attackers leveraged CVE-2026-26980—a critical unauthenticated SQL injection in Ghost CMS versions 3.24.0 through 6.19.0—to steal Admin API keys and inject fake Cloudflare/CAPTCHA verification dialogs. Unlike prior ClickFix operations, this campaign weaponizes trusted, high-authority domains to deliver malware, making the social engineering particularly insidious. A patched version of Ghost is available, and administrators are urged to update immediately.
New research from Qianxin XLab reveals the campaign has ballooned to over 700 poisoned domains, including sites belonging to Harvard, Oxford, and Auburn Universities. Two distinct threat actor groups are now involved, with one upgrading its payload to a zero-detection Electron-based data-stealing trojan called UtilifySetup.exe that beacons a C2 server every 30 seconds. The attack chain has been fully mapped: SQL injection to steal Admin API keys, mass article modification to inject JavaScript loaders, a fake Cloudflare CAPTCHA social engineering step, and final payload delivery via rundll32 or a NotepadPlusPlus.zip loader from a second group.