A critical vulnerability in Ghost CMS has been exploited by cybercriminals, resulting in the compromise of over 700 websites. The flaw, identified as CVE-2026-26980, has been used to conduct ClickFix attacks by injecting malicious JavaScript code across various sites.
Details of the Vulnerability
According to cybersecurity firm QiAnXin XLab, the issue lies in an SQL injection vulnerability within Ghost’s Content API, which received a CVSS score of 9.4. This flaw potentially allows unauthorized attackers to access and manipulate sensitive data. The vulnerability was addressed in February 2026 with the release of version 6.19.1, following its discovery by Anthropic using the Claude tool.
The main threat posed by this vulnerability is its capacity to expose a site’s admin API key. This access enables attackers to inject harmful code directly into articles on the compromised content management system, significantly affecting site integrity and security.
Impact and Attack Mechanism
The exploitation of this vulnerability has led to what QiAnXin XLab describes as a “large-scale poisoning” campaign. Threat actors use the acquired admin API key to alter multiple articles, embedding malicious JavaScript loaders that facilitate fake CAPTCHA attacks. The campaign, active since May 7, 2026, has affected sectors ranging from universities to financial technology.
The methodology involves deploying a two-stage JavaScript loader to retrieve a primary payload from an external domain. This approach allows attackers to dynamically alter the payload while maintaining consistency in their attack strategy. The injected script also collects user data and executes actions like redirections and pop-ups, powered by Adspect’s cloaking service.
Response and Recommendations
Users of Ghost CMS are strongly urged to update to the latest software version, change all credentials, and thoroughly clean any infected sites. Additionally, it is crucial to review access logs for unusual activity and inform users who may have accessed compromised sites to be vigilant for any signs of data breaches.
The attacks, aimed at tricking users into executing commands that download malware, highlight the importance of robust cybersecurity practices. The end goal is often to install a Windows executable, disguised under legitimate applications like the PuTTY client or through JavaScript installers, to establish persistent control over compromised systems.
With the potential for widespread impact, it is vital for organizations relying on Ghost CMS to take immediate protective measures. Ensuring that systems are updated and secure will help mitigate the risks posed by such vulnerabilities in the future.
