Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

Summary

Threat actors are actively exploiting CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to compromise over 700 websites and inject malicious JavaScript that fuels ClickFix social engineering attacks [1]. The flaw, which affects Ghost versions 3.24.0 through 6.19.0, allows unauthenticated attackers to read arbitrary data from the website database. Despite a patch being available since February 19, 2026, a large number of sites remain unpatched and are now serving malicious code to visitors. High-profile victims include Harvard University, Oxford University, and Auburn University.

What Happened

In early May 2026, Qianxin’s XLab threat intelligence researchers discovered a large-scale campaign exploiting CVE-2026-26980. The attackers target unpatched Ghost CMS instances and use the SQL injection flaw to gain unauthorized access to the database. From there, they inject malicious JavaScript into the compromised websites. When visitors land on these sites, they encounter fake error messages designed to trick them into running malicious PowerShell commands on their own machines — a technique known as ClickFix.

Last week, security researchers confirmed that attackers had planted malicious code on the websites of Harvard University, Oxford University, and Auburn University, among others. The total number of compromised domains has exceeded 700, with the list including university portals, news outlets, and organizational websites running vulnerable Ghost CMS versions.

Technical Details

CVE-2026-26980 is a SQL injection vulnerability in Ghost CMS with a CVSS score of 9.4 (Critical). The flaw exists in versions 3.24.0 through 6.19.0 and allows unauthenticated remote attackers to execute arbitrary SQL queries against the database. Ghost addressed the vulnerability in version 6.19.1, released on February 19, 2026.

The attack chain observed by researchers works as follows: First, the attacker sends a specially crafted request to exploit the SQL injection. This allows them to read sensitive data from the database, including content and configuration. Next, they modify site content to inject malicious JavaScript. When a victim visits the compromised site, the JavaScript displays a fake browser update error or system warning. The page instructs the user to copy and paste a PowerShell command into their terminal, which then downloads and executes malware — typically information stealers or remote access trojans.

Impact

Over 700 domains have been confirmed compromised, including high-traffic university portals and organizational websites. The impact is twofold: first, the websites themselves suffer data exposure through the SQL injection, potentially leaking subscriber data, draft content, and administrative information. Second, visitors to these sites are exposed to ClickFix social engineering attacks that can result in malware infections on their local machines.

Organizations running Ghost CMS versions prior to 6.19.1 are at risk if they have not applied the February patch. The widespread nature of the campaign suggests that attackers are using automated scanning tools to identify and exploit vulnerable instances at scale.

What To Do Now

1. Upgrade Ghost CMS immediately: Update to Ghost CMS version 6.19.1 or later. The patch was released on February 19, 2026, and eliminates the SQL injection vector entirely.
2. Rotate all admin API keys: If your Ghost CMS instance was or may have been compromised, change all admin API keys and review user accounts for unauthorized access.
3. Audit site content and injected code: Check your site’s themes, posts, and code injection fields for unauthorized JavaScript. Look for suspicious scripts in the site header or footer.
4. Review database access logs: Examine your database logs for unusual queries or unauthorized data access patterns that may indicate SQL injection exploitation.
5. Implement Content Security Policy (CSP): Add a strict CSP to your Ghost CMS site to block execution of inline or external scripts that have not been explicitly whitelisted.
6. Deploy a Web Application Firewall (WAF): Configure your WAF with rules to detect and block SQL injection payloads targeting Ghost CMS endpoints.

Timeline

Date	Event
February 19, 2026	Ghost CMS 6.19.1 released with fix for CVE-2026-26980
Early May 2026	XLab discovers large-scale ClickFix campaign exploiting Ghost CMS
Last week	Malicious code found on Harvard, Oxford, and Auburn University websites
Recently	Total compromised domains exceed 700 across multiple sectors

Sources

1. https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/
2. https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html
3. https://www.securityweek.com/ghost-cms-vulnerability-exploited-to-hack-over-700-websites/
4. https://securityaffairs.com/192655/cyber-crime/ghost-cms-flaw-abused-to-push-clickfix-attacks-on-hundreds-of-sites.html