284/69 Tuesday, May 26, 2026
Researchers have identified a large-scale attack campaign exploiting the critical SQL Injection vulnerability CVE-2026-26980 in Ghost CMS to inject malicious JavaScript into websites, leading to ClickFix-style attacks. According to threat intelligence researchers from Qianxin XLab, more than 700 affected domains have been identified, including websites belonging to universities, AI/SaaS companies, online media platforms, FinTech organizations, cybersecurity firms, and personal blogs.
The vulnerability affects Ghost CMS versions 3.24.0 through 6.19.0 and allows unauthenticated attackers to extract sensitive information directly from the website database, including Admin API Keys. These keys can be used to access and manage users, articles, themes, and website content. Although Ghost CMS released a patch for the vulnerability on February 19 through version 6.19.1, many websites remain unpatched, allowing attackers to continue exploiting the issue at scale.
Researchers found that attackers use the vulnerability to steal Admin API Keys and then abuse the obtained privileges to inject malicious JavaScript into website articles. The injected scripts load additional payloads from attacker-controlled infrastructure and selectively filter website visitors to identify suitable targets. Victims who match specific criteria are redirected to fake verification pages designed to imitate Cloudflare services as part of a ClickFix social engineering attack. The campaign may ultimately deliver malicious payloads such as DLL loaders, JavaScript droppers, and malware including UtilifySetup.exe. Website administrators using Ghost CMS are strongly advised to immediately update to version 6.19.1 or later, rotate previously used API keys, inspect and remove unauthorized injected scripts, and retain Admin API access logs for at least 30 days to support incident investigation and response efforts.