Ghost CMS SQL Injection Flaw Exploited in Large-Scale ClickFix Campaign
A critical SQL injection vulnerability in Ghost CMS is being actively exploited in a large-scale campaign to inject malicious JavaScript and redirect users to fake CAPTCHA pages that deliver malware.
A large-scale campaign is actively exploiting CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to inject malicious JavaScript that triggers ClickFix attack flows. The flaw allows unauthenticated attackers to execute arbitrary SQL queries, enabling the injection of JavaScript payloads into database-stored content. This campaign targets Ghost CMS instances to redirect users to fake CAPTCHA pages that deliver malware.
The vulnerability, tracked as CVE-2026-26980, carries a CVSS score of 9.8, indicating critical severity. It affects Ghost CMS versions prior to the latest patch. The flaw resides in the database abstraction layer, allowing attackers to inject malicious SQL queries without authentication. Once exploited, attackers can modify database content to include JavaScript that executes when pages are rendered.
The ClickFix attack flow is a social engineering technique where users are presented with a fake CAPTCHA verification page. When users click the verification button, they inadvertently execute malicious commands that download and install malware. In this campaign, the injected JavaScript redirects visitors to these fake CAPTCHA pages, leading to infections.
Ghost CMS is a popular open-source content management system used by over 2 million websites, including many media and publishing outlets. The widespread use of Ghost makes this campaign particularly dangerous. Security researchers have observed thousands of compromised Ghost instances, with the campaign scaling rapidly over the past week.
Ghost (the company) has released a security patch addressing CVE-2026-26980. Users are strongly advised to update to the latest version immediately. Additionally, administrators should review their Ghost instances for signs of compromise, such as unexpected JavaScript in database content or unusual redirects. The Cybersecurity and Infrastructure Security Agency (CISA) has not yet added this vulnerability to its Known Exploited Vulnerabilities catalog, but given active exploitation, an addition is likely.
This campaign highlights the ongoing threat of SQL injection vulnerabilities, even in modern CMS platforms. The combination of a critical flaw with social engineering techniques like ClickFix demonstrates the evolving tactics of cybercriminals. Organizations using Ghost CMS should prioritize patching and monitor for suspicious activity to mitigate the risk of compromise.