700 Sites Hijacked as Ghost CMS SQLi Fuels ClickFix Attacks

Attackers have weaponized a critical SQL injection flaw in Ghost CMS to hijack over 700 websites, injecting malicious JavaScript that tricks visitors into executing malware through fake Cloudflare verification pages. Harvard University, Oxford University, and DuckDuckGo are among the confirmed victims.

XLab threat intelligence researchers at Qianxin documented the campaign after detecting suspicious activity on a client's Ghost installation on May 7. What appeared to be a targeted intrusion turned out to be a large-scale automated campaign exploiting unpatched Ghost instances globally.

The Vulnerability: CVE-2026-26980

CVE-2026-26980 is a blind SQL injection flaw in Ghost's Content API affecting versions 3.24.0 through 6.19.0. The vulnerability carries a CVSS score of 9.4 (critical) and requires no authentication to exploit.

The flaw exists in how Ghost handles the filter=slug:[...] and order=slug:[...] query parameters. Attackers can inject arbitrary SQL into the ORDER BY clause, enabling read access to any database table—including admin credentials, bcrypt password hashes, session secrets, and Admin API keys.

Ghost patched the vulnerability on February 19, 2026, with the release of version 6.19.1. SentinelOne published exploitation details on February 27, and public proof-of-concept exploits appeared on GitHub shortly after.

The three-month window between patch availability and mass exploitation follows a depressingly familiar pattern. We saw similar rapid weaponization with Drupal's SQL injection flaw just days ago—15,000 attacks within 48 hours of patch release.

Attack Chain: From SQL Injection to Malware Delivery

The campaign follows a five-stage attack chain that researchers describe as "highly automated":

Stage 1: Credential Theft Attackers exploit CVE-2026-26980 to extract Admin API keys from the Ghost database. These keys grant full management access to articles, users, and themes without requiring username/password authentication.

Stage 2: JavaScript Injection Using stolen API keys, attackers bulk-modify articles through Ghost's Admin API, injecting lightweight JavaScript loaders at the bottom of every page. The loaders use btoa(a.origin) to identify victim sites and dynamically fetch second-stage payloads.

Stage 3: Traffic Filtering A cloaking script fingerprints visitors via the Adspect service, collecting WebGL data, browser properties, and timezone information. Only users meeting specific criteria receive the malicious payload—likely to evade security researchers and automated scanners.

Stage 4: ClickFix Social Engineering Selected victims see a forged Cloudflare verification page instructing them to:

1. Press Win+R to open the Run dialog
2. Paste clipboard contents (secretly loaded with malicious commands)
3. Press Enter to "verify" their identity

This technique has become disturbingly common. Microsoft flagged a variant called CrashFix that deliberately crashes browsers before displaying repair instructions that execute PowerShell malware. Another campaign abuses Windows App-V scripts to bypass endpoint protection entirely.

Stage 5: Malware Execution The clipboard command downloads a ZIP file containing batch scripts that use PowerShell to fetch DLLs via Storj CDN. The final payload—an Electron app called UtilifySetup.exe—achieves persistence through setLoginItemSettings and beacons to command servers every 30 seconds.

Two Competing Threat Actors

XLab identified at least two distinct threat actor clusters targeting the same vulnerable Ghost instances, sometimes within 24 hours of each other.

Actor A operates the primary campaign, upgrading from test payloads (fake PuTTY installers) in February to functional stealer malware by mid-May. Their infrastructure includes domains like clo4shara[.]xyz, cloud-verification[.]com, and com-apps[.]cc.

Actor B uses XOR encryption (key: h2QHiVI) for payload obfuscation and operates infrastructure linked to approximately 500 suspicious domains. Researchers connected this cluster to a campaign called Aeternum based on VirusTotal domain clustering.

The Harvard International Review was compromised by both groups within a single day—evidence that attackers are racing to monetize vulnerable Ghost installations before administrators patch.

Who Is Affected

XLab's victim analysis shows personal blogs account for 48.1% of compromised sites, followed by SaaS/tech companies (14.8%) and AI/ML startups (4.6%). The remainder includes university portals, media outlets, fintech firms, and ironically, security-focused websites.

Notable confirmed victims include:

• Harvard University
• Oxford University
• Auburn University
• DuckDuckGo

By May 17, researchers had identified over 700 compromised domains, though the actual number is likely higher given the automated nature of the campaign.

What to Do Now

Upgrade immediately. Ghost 6.19.1 patches CVE-2026-26980 by replacing raw SQL string interpolation with parameterized Knex bindings. Docker users should pull ghost:6.19.1 or later.

Rotate all API keys. Even if you've patched, assume any API keys generated before February 19 are compromised. Revoke them and generate new credentials.

Check for injected scripts. Search your Ghost database and article content for these indicators:

• String ghost_once_footer_
• Combined patterns: atob( + appendChild
• String btoa(a.origin)

Review admin API logs. Ghost maintains 30-day API call logs by default. Look for bulk article modifications from unfamiliar IP addresses.

Monitor for reinfection. Multiple threat actors are targeting the same sites. Cleaning up once may not be sufficient if you haven't patched the underlying vulnerability.

The campaign demonstrates how unpatched CMS vulnerabilities quickly become distribution platforms for social engineering attacks. ClickFix techniques continue evolving—there's been a reported 500% surge in cases over the past year—and any web platform with administrative access makes an attractive target. Organizations running Ghost should treat patching as an emergency priority.