Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Critical Ghost CMS Vulnerability Exploited in ClickFix Attacks

Critical Ghost CMS Vulnerability Exploited in ClickFix Attacks

Posted on May 25, 2026 By CWS

A critical vulnerability in Ghost CMS has been exploited by cybercriminals, resulting in the compromise of over 700 websites. The flaw, identified as CVE-2026-26980, has been used to conduct ClickFix attacks by injecting malicious JavaScript code across various sites.

Details of the Vulnerability

According to cybersecurity firm QiAnXin XLab, the issue lies in an SQL injection vulnerability within Ghost’s Content API, which received a CVSS score of 9.4. This flaw potentially allows unauthorized attackers to access and manipulate sensitive data. The vulnerability was addressed in February 2026 with the release of version 6.19.1, following its discovery by Anthropic using the Claude tool.

The main threat posed by this vulnerability is its capacity to expose a site’s admin API key. This access enables attackers to inject harmful code directly into articles on the compromised content management system, significantly affecting site integrity and security.

Impact and Attack Mechanism

The exploitation of this vulnerability has led to what QiAnXin XLab describes as a “large-scale poisoning” campaign. Threat actors use the acquired admin API key to alter multiple articles, embedding malicious JavaScript loaders that facilitate fake CAPTCHA attacks. The campaign, active since May 7, 2026, has affected sectors ranging from universities to financial technology.

The methodology involves deploying a two-stage JavaScript loader to retrieve a primary payload from an external domain. This approach allows attackers to dynamically alter the payload while maintaining consistency in their attack strategy. The injected script also collects user data and executes actions like redirections and pop-ups, powered by Adspect’s cloaking service.

Response and Recommendations

Users of Ghost CMS are strongly urged to update to the latest software version, change all credentials, and thoroughly clean any infected sites. Additionally, it is crucial to review access logs for unusual activity and inform users who may have accessed compromised sites to be vigilant for any signs of data breaches.

The attacks, aimed at tricking users into executing commands that download malware, highlight the importance of robust cybersecurity practices. The end goal is often to install a Windows executable, disguised under legitimate applications like the PuTTY client or through JavaScript installers, to establish persistent control over compromised systems.

With the potential for widespread impact, it is vital for organizations relying on Ghost CMS to take immediate protective measures. Ensuring that systems are updated and secure will help mitigate the risks posed by such vulnerabilities in the future.

The Hacker News Tags:admin API key, ClickFix attacks, code-signing certificate, CVE-2026-26980, Cybersecurity, Ghost CMS, JavaScript injection, malicious code, Malware, rundll32.exe, security flaw, site hijacking, SQL injection, Threat Actors, web security

Post navigation

Previous Post: Italian Police Dismantle Major Streaming Piracy Network
Next Post: Patient Data Breach at Oncology Institute Confirmed

Related Posts

Moldovan Police Arrest Suspect in €4.5M Ransomware Attack on Dutch Research Agency Moldovan Police Arrest Suspect in €4.5M Ransomware Attack on Dutch Research Agency The Hacker News
Critical n8n Vulnerability (CVSS 10.0) Allows Unauthenticated Attackers to Take Full Control Critical n8n Vulnerability (CVSS 10.0) Allows Unauthenticated Attackers to Take Full Control The Hacker News
UAT-9921 Targets Tech and Finance with VoidLink Malware UAT-9921 Targets Tech and Finance with VoidLink Malware The Hacker News
ShowDoc Vulnerability CVE-2025-0520 Exploited in the Wild ShowDoc Vulnerability CVE-2025-0520 Exploited in the Wild The Hacker News
EC-Council Boosts AI Workforce with New Certifications EC-Council Boosts AI Workforce with New Certifications The Hacker News
Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Windows Update Installs LG App with McAfee Ads
  • QIZ Security Secures $17M for Cryptography Platform
  • UNC6692 Exploits Microsoft Teams for SNOW Malware Attack
  • UK Unveils Cybersecurity Strategy with AI Defense Initiative
  • GodDamn Ransomware Employs PoisonX to Bypass Security

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Windows Update Installs LG App with McAfee Ads
  • QIZ Security Secures $17M for Cryptography Platform
  • UNC6692 Exploits Microsoft Teams for SNOW Malware Attack
  • UK Unveils Cybersecurity Strategy with AI Defense Initiative
  • GodDamn Ransomware Employs PoisonX to Bypass Security

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark