An unpatched SQL injection vulnerability in the Ghost content management system has been weaponized in an active, large-scale cyberattack that has compromised more than 700 websites worldwide — including portals belonging to Harvard University, Oxford University, Auburn University, and DuckDuckGo — and is using them to silently push malware onto the computers of ordinary visitors through a fake Cloudflare verification prompt. The campaign is ongoing as of May 25, 2026, with at least two competing threat groups racing to infect the same unpatched sites.
The vulnerability, tracked as CVE-2026-26980, carries a CVSS score of 9.4 — a Critical rating — and requires no authentication to exploit. Any internet-connected Ghost installation running versions 3.24.0 through 6.19.0 can be compromised with a single crafted HTTP request. A patch has existed since February 19, 2026. The 95-day gap between patch release and this campaign's peak has handed attackers a pool of hundreds of unprotected sites.
Threat intelligence researchers at XLab, the research division of Chinese cybersecurity firm Qianxin, first detected a poisoning incident targeting one of their clients' Ghost sites on May 7, 2026. A subsequent investigation found the attack was not targeted but part of a broad, automated campaign sweeping across every vulnerable Ghost deployment reachable on the open internet.
Ghost CMS SQL Injection Flaw: What Attackers Exploited
The flaw lives in Ghost's Content API, specifically in the slug-filter-order.js input serializer. When an automated scanner queries a Ghost site's public content endpoint with a crafted filter parameter, the slug values are inserted directly into a raw SQL ORDER BY clause with no sanitization — a six-line coding error that gives an unauthenticated attacker arbitrary read access to the entire database.
What makes CVE-2026-26980 especially dangerous is what sits in that database: the Admin API Key, a credential that grants full management access to a Ghost site's articles, themes, and user accounts — without a password. Unlike the Content API Key (a read-only credential embedded publicly in every theme's HTML), the Admin API Key is intended to be private. Once stolen through the SQL injection, it becomes an all-access pass to every piece of content the site has ever published.
SonicWall's Capture Labs independently analyzed the flaw and confirmed the root cause in the same input serializer, rating the vulnerability Critical. The exploitation requires only three conditions: a vulnerable Ghost version, at least one published post, and a reachable Content API endpoint — requirements every default Ghost installation satisfies simultaneously.
How Attackers Turn a Stolen Key Into Visitor Malware
Once attackers obtain the Admin API Key, they pivot from database theft to content poisoning. Using Ghost's own legitimate admin API, they make bulk edits to every published article on the compromised site, appending a hidden JavaScript loader to the bottom of each page. The loader is lightweight by design — its sole job is to reach out to attacker-controlled infrastructure and fetch a second stage.
That second stage is a cloaking script. It fingerprints each visitor, checking browser characteristics, IP geolocation, and behavioral signals to decide whether the visitor is a real human target or an automated security scanner. Visitors identified as viable targets are served the payload: a full-screen iframe rendering a convincing fake Cloudflare human-verification page on top of the article they came to read.
The fake verification page is the ClickFix lure. It instructs the visitor to prove they are human by pressing Windows+R and pasting a command the page has already silently copied to their clipboard. That command is a malicious PowerShell script. If the visitor complies — as millions of internet users do routinely with legitimate bot-check prompts — their Windows machine executes attacker-controlled code with no further action required on the attacker's part.
What ClickFix Delivers and Why It Bypasses Defenses
XLab researchers documented multiple distinct payloads distributed through this pipeline: DLL loaders, JavaScript droppers, and an Electron-based malware sample named UtilifySetup.exe, which had zero detections on VirusTotal when the second attack wave launched on May 16. The final payload the researchers called a stealer trojan — software designed to harvest credentials, session tokens, and other sensitive data from the infected machine and send it to an attacker-controlled server.
The ClickFix delivery mechanism is effective precisely because it outsources execution to the victim. Traditional malware downloads are flagged by browsers, endpoint security tools, and email filters. A PowerShell command pasted by a human into a Windows dialog bypasses most of those controls entirely. Recorded Future's Insikt Group assessed in March 2026 that ClickFix will very likely remain a dominant initial access method throughout the year, specifically because it shifts the point of exploitation from automated systems to human behavior. When the lure is embedded inside a page from a trusted institution — a university research portal, a privacy-focused search engine — the psychological barrier to compliance drops further.
The campaign's first wave used a cloaking domain hosted behind Cloudflare's proxy service, which created an interception window. Cloudflare reportedly blocked the original cloaking domain after users reported the anomalous verification prompts, temporarily severing the attack chain. On May 16, the threat actors updated to a new cloaking domain not yet flagged by Cloudflare and introduced the upgraded zero-detection payload.
Harvard, Oxford, DuckDuckGo: Why High-Profile Victims Amplify the Risk
XLab's second enumeration sweep, completed May 17, confirmed that well-known, high-trust destinations had been compromised — specifically Harvard University, Oxford University, Auburn University, and DuckDuckGo. The inclusion of these institutions is not incidental. Academic portals attract large volumes of student, researcher, and general public traffic, and the Cloudflare verification pop-up is a familiar interface pattern on campus networks. DuckDuckGo, whose brand is built on user trust and privacy, presents an especially effective social-engineering surface: a visitor encountering an unexpected prompt on DuckDuckGo is arguably less likely to question its legitimacy than on an unfamiliar site.
Of the 700+ victim domains analyzed by XLab, 48.1% are personal blogs or independent sites, 14.8% are software development or SaaS platforms, 4.6% are AI and machine learning companies, 2.7% are academic or educational institutions, and 2.5% are media and news outlets. The data shows the attack casts an indiscriminate net: the automated vulnerability scanner does not distinguish between a personal blog and a university research portal.
XLab began contacting affected sites on May 10, 2026. By the time of their May 21 publication, the vast majority of those notifications had received no response, and some sites had been re-infected multiple times — sometimes by competing attack groups overwriting each other's malicious code within a single day.
How Do I Know if My Ghost Site Is Compromised?
The presence of at least two distinct activity clusters means remediation is more involved than a simple patch-and-reset. XLab recommends the following steps for any Ghost CMS operator who has not applied the February 19 patch.
Upgrade to Ghost version 6.19.1 or later immediately. This closes CVE-2026-26980 by replacing the vulnerable SQL string interpolation with parameterized queries.
Rotate all credentials — Admin API Key, Content API Key, administrator password, and session tokens — regardless of whether the site appears clean. Any key generated while running a vulnerable version must be treated as potentially exposed.
Audit published content at the database level, not through the Ghost editor backend. The injected JavaScript loaders typically appear at the bottom of article content. XLab has published indicators of compromise including script fingerprints for both known attack clusters.
Retain at least 30 days of Admin API call logs and use those indicators for retrospective investigation to determine when unauthorized bulk edits occurred and which articles were modified.
Notify site visitors who may have been served the ClickFix lure during the contamination window, and recommend that they run a full malware scan on any Windows machine used to browse the site during that period.
Ghost CMS Patch Gap: 95 Days From Fix to Mass Exploitation
The timeline of this campaign follows a now-familiar pattern in open-source CMS security: a critical unauthenticated flaw is disclosed, a patch is released, and a substantial portion of the installed base fails to apply it — providing a target-rich environment for attackers months later. CVE-2026-26980 was patched on February 19, 2026. SentinelOne published exploitation details and detection guidance on February 27. By May 7, attackers had industrialized the exploitation into a fully automated pipeline: bulk scanner, automatic key extraction, bulk article injection, dynamic payload distribution.
The 95-day exploitation window reflects the operational reality that many Ghost operators — particularly personal bloggers, small academic units, and volunteer-run nonprofit sites — lack the monitoring infrastructure or maintenance cadence to act quickly on a high-severity security advisory. Ghost is deployed across tens of thousands of self-hosted installations, the majority of which have no managed update mechanism.
XLab's warning extends beyond already-compromised sites: Ghost deployments that have not yet been infected remain at risk because attackers continue to scan for unpatched installations. Credentials and configuration data already harvested from compromised sites may also be used for lateral movement into other business systems operated by the same affected organizations.
Frequently Asked Questions
What is ClickFix and how does it work?
ClickFix is a social engineering technique in which a fake CAPTCHA or verification page silently copies a malicious command to the visitor's clipboard and instructs them to paste it into a Windows command prompt. Because the victim executes the command themselves, the attack bypasses most browser-based and endpoint security controls that would otherwise flag a traditional malware download. In this Ghost CMS campaign, the prompt was disguised as a Cloudflare human-verification check delivered via an iframe injected into legitimate article pages.
How do I patch the Ghost CMS vulnerability CVE-2026-26980?
Upgrade your Ghost installation to version 6.19.1 or later, which addresses the vulnerability by replacing the flawed SQL string interpolation with parameterized queries. After upgrading, rotate all credentials — Admin API Key, Content API Key, administrator password, and active sessions — as these may have been extracted from your database while the site was running a vulnerable version. Then audit your published articles at the database level for injected JavaScript payloads and review at least 30 days of Admin API call logs.
Is Ghost CMS safe to use after patching?
Version 6.19.1 closes CVE-2026-26980 and is safe to deploy. Sites that were running versions 3.24.0 through 6.19.0 before patching should complete the full remediation checklist — credential rotation, content audit, log review, and visitor notification — before treating the site as clean, because the vulnerability allowed attackers to operate silently and injected JavaScript may not be visible through the Ghost admin editor's normal view.
What malware was delivered through this Ghost CMS campaign?
XLab researchers documented DLL loaders, JavaScript droppers, and an Electron-based infostealer named UtilifySetup.exe as payloads distributed through the ClickFix lure on compromised Ghost sites. The UtilifySetup.exe variant carried zero antivirus detections on VirusTotal when the second attack wave launched on May 16, 2026. All documented payloads target Windows systems; the ClickFix lure instructs victims to open a Windows command prompt, making macOS and Linux visitors non-targets of this specific attack chain.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
