Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Critical Ghost CMS Vulnerability Exploited in ClickFix Attacks

Critical Ghost CMS Vulnerability Exploited in ClickFix Attacks

Posted on May 25, 2026 By CWS

A critical vulnerability in Ghost CMS has been exploited by cybercriminals, resulting in the compromise of over 700 websites. The flaw, identified as CVE-2026-26980, has been used to conduct ClickFix attacks by injecting malicious JavaScript code across various sites.

Details of the Vulnerability

According to cybersecurity firm QiAnXin XLab, the issue lies in an SQL injection vulnerability within Ghost’s Content API, which received a CVSS score of 9.4. This flaw potentially allows unauthorized attackers to access and manipulate sensitive data. The vulnerability was addressed in February 2026 with the release of version 6.19.1, following its discovery by Anthropic using the Claude tool.

The main threat posed by this vulnerability is its capacity to expose a site’s admin API key. This access enables attackers to inject harmful code directly into articles on the compromised content management system, significantly affecting site integrity and security.

Impact and Attack Mechanism

The exploitation of this vulnerability has led to what QiAnXin XLab describes as a “large-scale poisoning” campaign. Threat actors use the acquired admin API key to alter multiple articles, embedding malicious JavaScript loaders that facilitate fake CAPTCHA attacks. The campaign, active since May 7, 2026, has affected sectors ranging from universities to financial technology.

The methodology involves deploying a two-stage JavaScript loader to retrieve a primary payload from an external domain. This approach allows attackers to dynamically alter the payload while maintaining consistency in their attack strategy. The injected script also collects user data and executes actions like redirections and pop-ups, powered by Adspect’s cloaking service.

Response and Recommendations

Users of Ghost CMS are strongly urged to update to the latest software version, change all credentials, and thoroughly clean any infected sites. Additionally, it is crucial to review access logs for unusual activity and inform users who may have accessed compromised sites to be vigilant for any signs of data breaches.

The attacks, aimed at tricking users into executing commands that download malware, highlight the importance of robust cybersecurity practices. The end goal is often to install a Windows executable, disguised under legitimate applications like the PuTTY client or through JavaScript installers, to establish persistent control over compromised systems.

With the potential for widespread impact, it is vital for organizations relying on Ghost CMS to take immediate protective measures. Ensuring that systems are updated and secure will help mitigate the risks posed by such vulnerabilities in the future.

The Hacker News Tags:admin API key, ClickFix attacks, code-signing certificate, CVE-2026-26980, Cybersecurity, Ghost CMS, JavaScript injection, malicious code, Malware, rundll32.exe, security flaw, site hijacking, SQL injection, Threat Actors, web security

Post navigation

Previous Post: Italian Police Dismantle Major Streaming Piracy Network
Next Post: Patient Data Breach at Oncology Institute Confirmed

Related Posts

Obsidian Plugin Exploitation Delivers PHANTOMPULSE RAT Obsidian Plugin Exploitation Delivers PHANTOMPULSE RAT The Hacker News
Apple Addresses Over 30 Security Flaws in iOS and macOS Apple Addresses Over 30 Security Flaws in iOS and macOS The Hacker News
Fortinet Warns About FortiSIEM Vulnerability (CVE-2025-25256) With In-the-Wild Exploit Code Fortinet Warns About FortiSIEM Vulnerability (CVE-2025-25256) With In-the-Wild Exploit Code The Hacker News
Understanding and Mitigating Lethal Paths in AppSec Understanding and Mitigating Lethal Paths in AppSec The Hacker News
Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign The Hacker News
Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Maximizing Threat Intelligence for Effective SOC Operations
  • Palo Alto Networks Fixes Critical Security Flaws
  • Windows Update Installs LG App with McAfee Ads
  • QIZ Security Secures $17M for Cryptography Platform
  • UNC6692 Exploits Microsoft Teams for SNOW Malware Attack

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Maximizing Threat Intelligence for Effective SOC Operations
  • Palo Alto Networks Fixes Critical Security Flaws
  • Windows Update Installs LG App with McAfee Ads
  • QIZ Security Secures $17M for Cryptography Platform
  • UNC6692 Exploits Microsoft Teams for SNOW Malware Attack

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark