Ghost CMS CVE-2026-26980 Exploited to Inject ClickFix Malware

Ghost CMS CVE-2026-26980 is being exploited in a mass website-poisoning campaign that turns compromised Ghost sites into delivery points for ClickFix and FakeCaptcha malware lures. XLab says attackers used the unauthenticated SQL injection flaw to read Ghost database contents, steal Admin API keys, and then bulk-edit posts to inject malicious JavaScript loaders.^[2] BleepingComputer reported the campaign after researchers tied the activity to hundreds of poisoned domains.^[1]

Cartoon showing Ghost CMS SQL injection stealing an Admin API key and injecting ClickFix malware into posts — One stolen Admin API key can turn quiet blog posts into fake captcha traps.

The vulnerability affects Ghost versions 3.24.0 through 6.19.0 and was fixed in Ghost 6.19.1.^[3]^[5] NVD describes the issue as unauthenticated arbitrary database reads and lists a CVSS 3.1 score of 9.4, with network attack vector, no privileges, and no user interaction required.^[4] In normal CMS terms, that is already serious. In this campaign, the database read became a site-control problem because attackers could extract an Admin API key and use Ghost’s own Admin API to modify article content at scale.

XLab says it identified more than 700 poisoned victim domains across personal blogs, SaaS and developer sites, AI and Web3 projects, education, media, nonprofits, and security-related pages.^[2] The injected script acted as a loader, sending visitors toward fake verification pages such as Cloudflare-style ClickFix prompts. Those pages ask users to press Win+R, paste a command, and run it, while also using downloads such as update.zip or later payload chains to stage malware.^[2]

What Ghost site owners should check now

The first action is simple: upgrade Ghost to 6.19.1 or newer if the site is on any affected branch.^[6] Patching stops the vulnerable SQL injection path, but it does not remove scripts that were already written into posts, themes, or code-injection settings. If a Ghost instance was exposed before patching, assume the Admin API key may have been read and rotate Admin API keys, Content API keys, administrator passwords, and active sessions.

For content review, search article bodies and database content for injected loader fingerprints. XLab recommends checking for strings such as ghost_once_footer_, sj.ssc/ipa/, atob( together with appendChild, and btoa(a.origin).^[2] Also inspect Ghost Code Injection settings and theme files for unexpected external scripts. Cleaning only the visible editor view is not enough if the payload was stored directly in database-backed post content.

For logs, look for abnormal PUT /ghost/api/admin/posts/:id/ requests, unfamiliar source IPs, unusual user agents, and large numbers of post modifications in a short period. Useful network indicators from XLab include clo4shara[.]xyz, cloud-verification[.]com, jalwat[.]com, com-apps[.]cc, web-telegram[.]ug, staticcloudflare[.]pro, and script-dev[.]digital.^[2] If those appear in web content, proxy logs, DNS logs, or browser histories, treat the site and recent visitors as exposed.

The user-side risk is also real. Visitors who saw a fake verification prompt and followed the Win+R instructions should check downloads and recent execution history for payload names and domains mentioned in the campaign, including update.zip, NotepadPlusPlus.zip, and suspicious DLL or EXE launches through rundll32.^[2] This is the same social-engineering family as other ClickFix and FakeCaptcha malware covered on howtofix.guide, including Trojan:Win32/ClickFix.ABA and Trojan:HTML/FakeCaptcha.RPA!MTB. Site owners may also want to compare this with recent CMS exploitation patterns such as MetInfo CMS unauthenticated RCE exploitation.

References