Back
Technology

Ghost CMS vulnerability CVE-2026-26980 exploited in mass website compromise campaign

Generated on: Last updated: 1 sources
View source

"A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows."

Critical Ghost CMS Vulnerability Under Active Exploitation

Over 700 domains have been compromised, including university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs. The campaign was identified by XLab threat intelligence researchers at Chinese cybersecurity company Qianxin.

Threat actors have planted malicious code on the websites of Harvard University, Oxford University, Auburn University, and DuckDuckGo.

Technical Details

CVE-2026-26980 impacts Ghost versions 3.24.0 through 6.19.0. It allows unauthenticated attackers to read arbitrary data from the website database, including the admin API keys.

This key gives management access to users, articles, and themes, and can be used to modify article pages.

The fix for the issue was released on February 19 in Ghost CMS version 6.19.1, but many sites failed to install the security update.

The Attack Chain

  1. Exploitation: The attacks begin by exploiting CVE-2026-26980 to steal the admin API keys.
  2. Injection: Attackers then use elevated rights to inject malicious JavaScript into articles.
  3. Fingerprinting: The JavaScript is a lightweight loader that fetches second-stage code from the attacker’s infrastructure, which fingerprints visitors to determine targets.
  4. The Lure: Visitors passing verification are served a fake Cloudflare prompt via an iframe containing the ClickFix lure.
  5. Payload Delivery: The page instructs victims to verify they are human by pasting a provided command on their Windows command prompt, which drops a payload.

Multiple payloads have been observed, including DLL loaders, JavaScript droppers, and an Electron-based malware sample named UtilifySetup.exe.

Mitigation and Recommendations

  • Ghost CMS website administrators should upgrade to version 6.19.1 or later and rotate all previously used keys.
  • XLab provided indicators of compromise, including injected scripts, so a thorough review of websites is needed.
  • Researchers recommend maintaining a 30-day record of admin API call logs for retrospective investigation.