Ghost CMS Flaw Hijacks 700+ Sites for ClickFix Attacks
Updated
Updated · The Hacker News · May 25
Ghost CMS Flaw Hijacks 700+ Sites for ClickFix Attacks
2 articles · Updated · The Hacker News · May 25
QiAnXin XLab said attackers have poisoned more than 700 Ghost CMS websites since May 7 by exploiting CVE-2026-26980, a critical SQL injection bug that lets them steal Admin API keys and alter published articles.
Version 6.19.1 fixed the flaw in February, but attackers used the stolen keys to bulk-insert JavaScript loaders at page bottoms, turning legitimate sites across universities, media, fintech and security into malware delivery points.
The injected code pulls a second-stage payload from clo4shara[.]xyz through an Adspect-powered cloaking script that fingerprints visitors, hides malicious content from scanners and can execute 19 remote commands in the browser.
Selected visitors are shown a fake CAPTCHA that pushes a Base64 command into Windows Run, leading to ZIP, batch, PowerShell and DLL or JavaScript payloads that ultimately install a persistent backdoored Electron-based app or other executable.
Ghost users were urged to upgrade immediately, rotate credentials, clean infected pages, review access logs and notify visitors who may have been exposed during the compromise window.
A patch was available for 95 days. Does this mass hack reveal a fatal flaw in open-source security models?
When trusted sites like universities are hacked, how can users distinguish real security warnings from sophisticated traps?
With AI finding security flaws in minutes, are traditional patch cycles and human-led security operations obsolete?
Over 10,000 Ghost CMS Sites Compromised: Inside the CVE-2026-26980 SQL Injection Mass Exploitation and ClickFix Malware Campaign
Overview
In May 2026, attackers exploited a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS versions 3.24.0 through 6.19.0, allowing them to access databases without authentication. This flaw enabled attackers to pull sensitive data such as user accounts, content drafts, and API keys. In one incident, an attacker obtained a site's Admin API Key, giving them significant control over the Ghost CMS instance. Although a patch was released in February 2026, many sites remained unpatched, leading to widespread exploitation and highlighting the urgent need for timely updates and strong security practices.