An extensive operation is taking advantage of a severe SQL injection vulnerability (CVE-2026-26980) within Ghost CMS to insert harmful JavaScript code that initiates ClickFix attack sequences.
The initiative was uncovered by XLab threat intelligence analysts at Qianxin, a Chinese cybersecurity firm, who confirmed its impact on over 700 domains, including university websites, AI/SaaS organizations, media platforms, fintech companies, security portals, and personal blogs.
According to the researchers, malicious code was planted on the websites of renowned institutions such as Harvard University, Oxford University, Auburn University, and DuckDuckGo.
CVE-2026-26980 affects Ghost versions 3.24.0 through 6.19.0, enabling unauthorized individuals to extract arbitrary data from the website database, including admin API keys.
This key grants management privileges over users, articles, themes, and the ability to modify article pages.
Despite the remedy being available on February 19 in Ghost CMS version 6.19.1, numerous websites failed to implement the necessary security update.
SentinelOne shared details on February 27 regarding the exploitation of CVE-2026-26980 in attacks and methods for detection. The analysts noted at least two distinct clusters of activity targeting vulnerable Ghost sites, with instances of re-infection on the same domains using different scripts post-cleanup, or one group cleansing the script of another to insert its own.
The observed assaults by XLab commence by exploiting CVE-2026-26980 to pilfer the admin API keys, leveraging the acquired rights to embed malicious JavaScript into articles.
The JavaScript code serves as a lightweight loader fetching second-stage code from the attacker’s infrastructure, primarily a cloaking script that profiles visitors to ascertain if they meet the criteria for targeting.
Visitors passing the verification encounter a counterfeit Cloudflare prompt displayed via an iframe atop the article page, housing the ClickFix bait.
The page instructs victims to validate their humanity by executing a provided command in their Windows command prompt, leading to a payload drop on their systems.
XLab has identified multiple payloads in these attacks, including DLL loaders, JavaScript droppers, and a malware sample named UtilifySetup.exe based on Electron.
.jpg)
The primary action for Ghost CMS website administrators is to update to version 6.19.1 or higher and rotate all previously used keys due to potential exposure.
XLab supplied a list of indicators of compromise (IoCs), such as injected scripts, necessitating a thorough examination of websites to locate and eliminate them.
The researchers advise website owners to retain a 30-day log of admin API call records to facilitate a reliable retrospective investigation.
Automated pentesting tools offer valuable insights, focusing on network traversal capabilities rather than evaluating threat-blocking controls, detection rule effectiveness, or cloud configuration integrity.
Discover the essential 6 surfaces that require validation in this comprehensive guide.
Download Now
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
