Ghost CMS SQL Injection CVE-2026-26980 Exploited to Hijack 700 Sites in Large-Scale ClickFix Campaign
A patched SQL injection in Ghost CMS (versions 3.24.0–6.19.0) has been exploited at scale to compromise 700+ websites, including Harvard and Oxford, turning them into ClickFix malware distribution points.
Overview
A SQL injection vulnerability in the Ghost content management system, patched in February 2026 but left unaddressed on thousands of servers, has been weaponized to compromise more than 700 websites — including the portals of Harvard University, Oxford University, Auburn University, and DuckDuckGo. The campaign, discovered by XLab threat intelligence researchers at Chinese cybersecurity company Qianxin and reported by BleepingComputer on May 24, 2026, converts legitimate sites into ClickFix malware delivery platforms that trick visitors into voluntarily executing malicious commands on their own machines.
The Vulnerability
Tracked as CVE-2026-26980, the flaw resides in Ghost’s Content API slug filter ordering feature. According to SentinelOne, the vulnerability stems from the code “directly concatenating user-supplied slug values into SQL CASE statements without proper sanitization or parameterization,” allowing “unauthenticated attackers to perform arbitrary reads from the database.”
Ghost is a Node.js content management system popular with independent publishers, academic institutions, and software companies. The vulnerability affects versions 3.24.0 through 6.19.0. A fix was released on February 19, 2026 in Ghost CMS version 6.19.1, according to BleepingComputer.
The National Vulnerability Database rates the flaw at 7.5 (HIGH) under NIST’s assessment, while GitHub, acting as the CVE Numbering Authority, assigned a score of 9.4 (CRITICAL), reflecting differing assessments of the vulnerability’s integrity and availability impact. Both agree the flaw requires no authentication and no user interaction to exploit.
The Attack Chain
XLab researchers documented a five-stage attack chain: CMS Takeover, Page Poisoning, Two-stage Loading, Social Engineering Lure, and Malware Delivery, as described in their campaign analysis.
The process begins with automated reconnaissance targeting unpatched Ghost instances. Attackers exploit the SQL injection to extract the Admin API Key — the credential that grants full administrative access to articles, themes, and users — directly from the database without logging in. As BleepingComputer describes, the attacks then “use the elevated rights to inject malicious JavaScript” at the bottom of existing articles.
The injected code is, in BleepingComputer’s words, “a lightweight loader that fetches second-stage code from the attacker’s infrastructure.” A cloaking layer filters out security researchers and automated bots; legitimate visitors are then presented with a fake Cloudflare verification page loaded via an iframe. That page delivers the ClickFix lure: it instructs victims to “verify that they are human” by pasting a provided command in their Windows command prompt.
According to XLab’s technical report, the lure directs users to “use the WIN+R shortcut to open the command window,” paste base64-encoded commands, and execute them — a technique that bypasses browser-based security controls by offloading execution to the operating system.
Scale and Victims
XLab first detected the campaign on May 7, 2026, with 156 compromised domains identified by May 10. The count expanded to over 700 by May 17, according to CyberSecurity News. BleepingComputer confirmed that “threat actors planted malicious code on the websites of Harvard University, Oxford University, Auburn University, and DuckDuckGo.”
By victim profile, XLab’s data shows personal blogs account for 48.1% of compromised sites, followed by SaaS and technology companies at 14.8%, AI and machine learning entities at 4.6%, cryptocurrency sites at 2.9%, and academic institutions at 2.7%. SecurityWeek notes the campaign also spans media outlets, fintech firms, and cybersecurity research blogs.
Two Competing Threat Actors
XLab and SecurityWeek identified at least two distinct activity clusters behind the campaign. The SecurityWeek report quotes XLab’s finding that “some sites have even become the target of competition between the two parties, with different malicious code being implanted one after another within a single day.”
CyberSecurity News identifies the payloads used by the two groups: the first deployed installer.dll, a Rust-based DLL loader active from May 7 through May 9, before switching to UtilifySetup.exe, an Electron-based data-stealing Trojan, from May 16 onward. The second actor delivered NotepadPlusPlus.zip as its payload. BleepingComputer also confirmed “multiple payloads being used in these attacks, including DLL loaders, JavaScript droppers, and an Electron-based malware sample named UtilifySetup.exe.”
What We Don’t Know
The full scope of visitor compromise — how many end users actually executed the ClickFix commands and what data was exfiltrated — has not been publicly quantified. Attribution beyond the operational details has not been publicly confirmed; neither XLab nor the sources reviewed link either threat cluster to a named criminal group or nation-state. The total number of affected Ghost instances that remain unpatched is also unknown.
SecurityWeek reported that Qianxin alerted many victims but “a vast majority did not respond to its notifications.”
Remediation
Ghost operators running any version from 3.24.0 through 6.19.0 should upgrade to version 6.19.1 or later immediately. The patch has been available since February 19, 2026 — more than three months before XLab observed active mass exploitation. Administrators should also audit article content for injected JavaScript and review Admin API Key integrity, as stolen keys may persist even after patching.