Summary:

Threat actors are actively exploiting a critical SQL injection vulnerability in Ghost CMS, tracked as CVE-2026-26980, to compromise more than 700 websites across sectors including universities, blockchain, artificial intelligence, software-as-a-service, security research, media, and financial technology. The vulnerability exists within Ghost’s Content API and allows unauthenticated attackers to retrieve arbitrary data from the backend database, including the site’s Admin API key.

Once obtained, attackers leverage the Admin API to inject malicious JavaScript loaders into published articles, facilitating large-scale ClickFix malware campaigns. The vulnerability was patched in Ghost version 6.19.1 in February 2026. Originally discovered by Anthropic using its Claude AI system, active exploitation was first observed on May 7, 2026, and continues to expand. Organizations operating unpatched Ghost CMS instances should immediately upgrade to the latest supported version.

Technical Description:

CVE-2026-26980 is a critical SQL injection vulnerability affecting Ghost CMS’s publicly accessible Content API. Because the API can be accessed without authentication, attackers can submit specially crafted SQL queries that execute directly against the backend database and return arbitrary data.

The most severe outcome is the ability to extract the site's Admin API key without requiring valid credentials. Once the Admin API key is obtained, attackers gain full administrative access through the Ghost Admin API, enabling them to create, modify, or delete content across the entire website. This effectively results in complete compromise of the Ghost CMS instance through a single unauthenticated request.

The vulnerability was discovered by Anthropic using its Claude artificial intelligence system.

Following compromise, attackers inject malicious JavaScript into website articles using the Admin API. The injected code acts as a two-stage loader that retrieves additional payloads from external infrastructure, including clo4shara[.]xyz. The payload utilizes Adspect, a commercial traffic cloaking service that filters security scanners and automated crawlers while selectively serving malicious content to genuine users.

Victims are redirected to fake CAPTCHA verification pages displayed through embedded iframes. These pages initiate ClickFix attacks by instructing users to copy and paste Base64-encoded commands into the Windows Run dialog. The commands download ZIP archives containing batch scripts that subsequently retrieve and execute malicious DLL or JavaScript payloads through rundll32.exe, ultimately installing a persistent backdoor application on the victim's system.

The details and technicalities of the exploitation campaign are discussed further.

Exploitation Demonstration:

• Attackers identify publicly accessible Ghost CMS installations running versions prior to 6.19.1. Automated scanning tools are used to detect exposed Content API endpoints, which are enabled by default and require no authentication.
• A specially crafted unauthenticated HTTP request containing a malicious SQL payload is sent to the Content API endpoint. Due to improper input handling, the SQL query executes directly against the database and returns sensitive information, including the site's Admin API key.
• Using the extracted Admin API key, attackers authenticate to the Ghost Admin API with full administrative privileges and enumerate all published content available on the website.
• With administrative access established, attackers systematically modify articles and pages by injecting obfuscated JavaScript loaders into published content.
• The injected JavaScript retrieves additional payloads from attacker-controlled infrastructure and redirects legitimate visitors to fake CAPTCHA verification pages. Through ClickFix social engineering, users are tricked into executing malicious commands that ultimately install persistent malware while remaining concealed from automated security analysis through Adspect cloaking technology.

Ease of Exploitation:

The vulnerability requires no authentication, no prior access, and no elevated privileges. Any attacker capable of reaching a vulnerable Ghost CMS instance can retrieve the Admin API key through a single unauthenticated request.

Once administrative credentials are obtained, attackers can leverage Ghost’s fully documented and legitimate Admin API to perform large-scale content manipulation without requiring advanced exploit development or specialized malware deployment frameworks.

The combination of unauthenticated access, direct credential exposure, and access to an authorized management interface significantly lowers the technical barrier to exploitation. The compromise of more than 700 websites within weeks of public disclosure demonstrates that automated exploitation is already occurring at scale.

Conclusion:

CVE-2026-26980 represents an actively exploited and highly impactful threat to organizations operating Ghost CMS versions earlier than 6.19.1. The attack chain is fully automated, requires no authentication, and has already resulted in the compromise of hundreds of trusted websites worldwide, including institutions in education, research, media, and financial technology sectors.

The use of commercial cloaking services to evade detection, combined with modular malware delivery mechanisms, indicates a sophisticated and persistent threat actor capable of conducting large-scale malicious campaigns.

Organizations should immediately upgrade to Ghost CMS version 6.19.1 or later, rotate exposed credentials, audit website content for unauthorized modifications, and assess whether visitors may have been exposed to malicious payloads. Failure to remediate may result in continued website compromise, malware distribution, and significant reputational damage.

Impact:

Successful exploitation of CVE-2026-26980 grants attackers full administrative control over affected Ghost CMS instances and enables the large-scale injection of malicious JavaScript across published website content.

Visitors accessing compromised websites may be redirected into ClickFix malware campaigns that install persistent Electron-based backdoors on Windows systems. These backdoors establish ongoing communication with remote command-and-control infrastructure, typically polling every 30 seconds, and provide attackers with capabilities including arbitrary command execution, file theft, persistence, and lateral movement.

For website operators, the consequences extend beyond platform compromise. Organizations may unknowingly become malware distribution points, exposing customers, partners, students, researchers, or employees to downstream compromise. This can result in significant reputational damage, operational disruption, regulatory scrutiny, and loss of stakeholder trust.

For UAE and MENA organizations, successful compromise may trigger obligations under applicable data protection regulations, including UAE Personal Data Protection Law (PDPL) requirements where personal information is exposed or distributed through compromised platforms. Organizations should assess potential notification obligations and incident response requirements where visitor compromise is suspected.

IOC and Context Details:

Recommended Actions:

• Upgrade Ghost CMS to version 6.19.1 or later immediately using Ghost CLI or the update mechanism provided by the hosting provider. Restart Ghost services after upgrading to ensure the patched version is active.
• If immediate patching is not possible, temporarily restrict public access to the Ghost Content API and deploy Web Application Firewall protections capable of detecting and blocking SQL injection attempts targeting API query parameters.
• Use the Ghost Admin API or direct database inspection to identify all published content and audit articles for unauthorized JavaScript injection. Consider automating large-scale content reviews across all posts and pages.
• Notify users who visited affected websites during the compromise window that they may have been exposed to ClickFix malware campaigns. Advise users to conduct endpoint scans and avoid executing commands previously presented by suspicious CAPTCHA pages.
• Search all published content for unauthorized script tags, particularly those referencing external domains or obfuscated JavaScript loaders. Remove malicious code immediately and republish clean versions of affected content.
• Review Ghost CMS logs for unusual unauthenticated requests targeting the Content API, especially requests containing SQL-like syntax, abnormal parameters, or unexpectedly long query strings indicative of exploitation attempts.
• Strengthen host-level security controls by minimizing unnecessary local accounts, hardening Secure Shell access, and restricting service account permissions to reduce the likelihood of additional compromise.
• Maintain verified offline backups of website content, databases, and system configurations. Organizations should be prepared to perform a full rebuild and credential rotation if persistent malware or unauthorized modifications are discovered.

Reference:

https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html