← All articles

Ghost CMS CVE-2026-26980 SQL injection exploited at scale - 700+ sites including Harvard, Oxford, DuckDuckGo serve ClickFix lures

Qianxin XLab has documented a large-scale ClickFix campaign exploiting CVE-2026-26980, an SQL injection in Ghost CMS that was disclosed and patched on February 19. The vulnerability lets unauthenticated attackers read arbitrary database content including admin API keys, which are then used to inject malicious JavaScript into articles. More than 700 domains are confirmed compromised, including Harvard, Oxford, and Auburn universities and DuckDuckGo. Victim browsers receive a fingerprinted iframe overlay impersonating a Cloudflare prompt that instructs users to paste a command into the Windows command prompt, dropping DLL loaders, JS droppers, or the UtilifySetup.exe Electron-based payload. Two distinct activity clusters compete for compromised sites.

Check
Inventory Ghost CMS sites by version. Search article HTML for unexpected inline JavaScript, iframe overlays, or fake Cloudflare prompts since February 19, 2026. Check admin-API audit logs for suspicious reads.
Affected
Ghost CMS versions 3.24.0 through 6.19.0 with the admin API exposed (default). More than 700 sites confirmed compromised, including major universities and tech companies.
Fix
Upgrade Ghost CMS to 6.19.1 or later. Rotate all admin API keys regardless of compromise status. Apply XLab IoCs and review articles for injected JavaScript. Train editors against ClickFix prompts.