Ghost CMS SQL injection exploited in coordinated ClickFix campaign across 700+ sites
Universities and major platforms compromised via three-month-old unpatched vulnerability enabling malicious code injection and credential theft.
A critical SQL injection vulnerability in Ghost CMS is being actively exploited to compromise major institutional websites — including Harvard University, Oxford University, and DuckDuckGo — in a coordinated ClickFix phishing campaign affecting more than 700 domains. The attacks leverage CVE-2026-26980, a CVSS 9.4-rated flaw patched in February but left unaddressed across much of Ghost’s estimated 100,000+ active site deployments.
The vulnerability affects Ghost versions 3.24.0 through 6.19.0, enabling unauthenticated attackers to extract admin API keys through blind SQL injection in the public Content API. Once compromised, attackers inject malicious JavaScript loaders that deliver fake Cloudflare verification prompts to site visitors, according to XLab researchers at Qianxin, who first detected mass infections on 7 May. The social engineering overlay instructs targets to execute PowerShell commands that deploy credential stealers and remote access trojans.
Three-month patch gap enables institutional compromise
Ghost Foundation released version 6.19.1 addressing CVE-2026-26980 on 19 February 2026, per SonicWall Capture Labs analysis. The 95-day gap between patch availability and large-scale exploitation discovery reflects systematic vulnerability scanning by organized threat actors targeting high-value institutional infrastructure. Auburn University, Harvard, Oxford, and DuckDuckGo represent a fraction of confirmed victims — XLab began notifying compromised organisations on 10 May but reports that the vast majority have not responded as of 21 May.
“Although some enterprises have responded and initiated remediation work, the vast majority of notifications have so far received no response at all.”
— XLab researchers, Qianxin
The vulnerability’s technical severity stems from unauthenticated network access to Ghost’s Content API, where attacker-controlled filter parameters enable SQL injection into ORDER BY clauses. This yields full database read access including administrator credentials and API keys — the mechanism attackers use to inject persistent malicious code into compromised sites. SentinelOne published exploitation details and detection signatures on 27 February, placing CVE-2026-26980 in the 97th EPSS percentile for near-term exploitation probability.
ClickFix campaigns exploit institutional trust
The attack chain operates in distinct stages designed to evade endpoint detection. After compromising a Ghost site via SQL injection, attackers inject JavaScript loaders that fingerprint visitors to identify high-value targets. Selected users receive fake Cloudflare CAPTCHA prompts overlaid on legitimate article pages within iframes, according to TechNadu analysis of the attack methodology.
The fake verification prompts instruct targets to use Windows+X keyboard shortcuts to launch Windows Terminal directly — a technique Microsoft Threat Intelligence notes “blends into legitimate administrative workflows and appears more trustworthy to users.” The commands execute credential stealers and remote access tools, with payloads ranging from established malware families like Lumma and Redline to custom trojans.
Attackers demonstrated operational resilience after Cloudflare blocked their initial cloaking domain (clo4shara[.]xyz) by migrating infrastructure to com-apps[.]cc on 16 May and upgrading to a zero-detection stealer trojan. XLab researchers observed at least two distinct activity clusters, with some domains re-infected after cleanup attempts.
Ghost powers more than 100,000 active websites globally with over 100 million total installations, according to Endor Labs. The open-source Node.js platform is used by independent journalists, bloggers, and enterprises for publishing and newsletter management. Ghost Foundation operates a commercial hosted service generating more than $10 million annual recurring revenue.
Detection and remediation
Organisations running Ghost CMS should immediately upgrade to version 6.19.1 or later. For sites unable to patch immediately, SonicWall recommends deploying Web Application Firewall rules blocking requests with suspicious filter parameters in Content API calls, particularly those targeting ORDER BY clauses. Security teams should audit admin API keys and review site code for unauthorised JavaScript injections, focusing on loaders that reference external domains.
BleepingComputer reports that compromised sites continue serving malicious payloads as of 24 May, with attackers maintaining persistence even after initial cleanup efforts. Indicators of compromise include references to cloaking domains in injected JavaScript and unexpected Content API database queries containing UNION statements or time-based SQL injection patterns.
- Upgrade Ghost to version 6.19.1 or later immediately
- Audit and rotate all admin API keys
- Review site code for unauthorised JavaScript loaders
- Implement WAF rules blocking suspicious Content API filter parameters
- Monitor for database queries containing UNION statements or time delays
- Check for references to known malicious domains (clo4shara[.]xyz, com-apps[.]cc)
What to watch
The campaign’s exploitation of trusted institutional domains for payload delivery represents a significant escalation in ClickFix methodology. Recorded Future predicts continued adoption of ClickFix techniques as a primary initial access vector throughout 2026, with threat actors increasingly targeting content management systems that power high-trust domains.
XLab researchers warn that the attack infrastructure remains operational despite defensive measures: “From the current infection situation, the attacker only needs to move the Cloaking domain out of Cloudflare’s service, and the attack chain can resume normal operation, with the infected domains immediately becoming accomplices to ClickFix attacks.” The 32.74% EPSS score suggests automated scanning for vulnerable Ghost installations will continue, making rapid patching essential for all deployments.
Organisations should monitor for Ghost Foundation security advisories and consider implementing automated patch management for critical CMS infrastructure. The gap between patch availability and mass exploitation underscores systemic failures in enterprise Vulnerability Management — particularly for open-source components that lack centralised update mechanisms.