Ghost CMS SQL Injection Exploits 700+ Sites in Ongoing ClickFix Campaign

Ghost CMS SQL Injection Exploits 700+ Sites in Ongoing ClickFix Campaign

First seen 25 May 2026, 15:01 UTC BleepingcomputerTechnaduTechgigThehackernewsTechtimes+12 89% similarity 78.0

Article Content

Browse articles
ThreatCluster

A critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS is being actively exploited in a large-scale cyberattack affecting over 700 websites, including those of Harvard University, Oxford University, Auburn University, and DuckDuckGo. The vulnerability allows unauthenticated attackers to read arbitrary data from the database, including sensitive admin API keys. Attackers leverage these keys to inject malicious JavaScript into articles, facilitating ClickFix attacks that trick users into executing harmful commands. Despite a patch being released on February 19, 2026, many sites remain unpatched and vulnerable. The campaign was first detected by XLab researchers at Qianxin on May 7, 2026, and has since expanded rapidly. The malicious scripts serve a fake Cloudflare verification prompt, leading victims to inadvertently download malware. The situation is ongoing as of May 25, 2026, with multiple threat actors involved.

Key Points: • CVE-2026-26980 allows unauthenticated access to Ghost CMS databases, affecting 700+ sites. • Attackers inject JavaScript to facilitate ClickFix attacks, using admin API keys for exploitation. • A patch was released on February 19, 2026, but many sites remain unprotected and vulnerable.

ThreatCluster AI

Timeline

2026-02-19
Patch released for Ghost CMS
Ghost CMS version 6.19.1 released to fix the critical SQL injection vulnerability.
BleepingComputer
2026-02-20
CVE-2026-26980 published
Ghost CMS vulnerability disclosed, allowing SQL injection and database access.
Techtimes
2026-05-07
First detection of exploitation
XLab researchers detected the SQL injection exploitation targeting Ghost CMS sites.
Techtimes
2026-05-25
Ongoing campaign confirmed
Over 700 sites compromised, with attackers actively exploiting the vulnerability to inject malware.
Technadu

Community

Browse all →