Security researchers have uncovered a large-scale attack campaign exploiting the Ghost CMS vulnerability CVE-2026-26980 to inject malicious ClickFix malware into more than 700 compromised websites worldwide.
Cybersecurity researchers at QiAnXin XLab have revealed an ongoing malware campaign targeting vulnerable Ghost CMS installations across the internet. Attackers are exploiting the critical SQL injection flaw tracked as CVE-2026-26980 to compromise websites and distribute fake CAPTCHA-based malware attacks.
According to the researchers, threat actors are abusing the Ghost CMS vulnerability to extract Admin API Keys without authentication. Once access is obtained, attackers use the Ghost Admin API to modify published content and inject malicious JavaScript payloads into website pages.
The security issue affects Ghost CMS versions 3.24.0 through 6.19.0, while version 6.19.1 includes the official security fix.
“The attacker exploited the high-risk SQL injection vulnerability CVE-2026-26980.”
More Than 700 Websites Reportedly Impacted
Researchers stated that over 700 domains have already been compromised during the campaign. The affected websites reportedly include organizations from sectors such as universities, AI platforms, SaaS providers, blockchain services, media companies, and cybersecurity-related businesses.
The campaign was initially detected on May 7, 2026, after investigators discovered malicious scripts being injected into customer websites running outdated Ghost CMS versions.
Attackers Using Fake CAPTCHA and ClickFix Techniques
The injected JavaScript loaders redirect users to fake Cloudflare verification pages designed to mimic legitimate CAPTCHA checks. Victims are then manipulated into executing malicious commands on their own systems through ClickFix-style social engineering methods.
“Injecting malicious JavaScript loaders at the bottom of the pages.”
Researchers explained that the malware infrastructure uses cloaking and browser fingerprinting techniques to avoid detection from automated analysis systems and security scanners. Legitimate users are selectively redirected to the fake verification pages, while security tools may receive harmless content.
Critical SQL Injection Vulnerability
The vulnerability itself is categorized as a blind SQL injection flaw within Ghost CMS’s public Content API. Attackers can exploit specially crafted requests to retrieve sensitive information from the database, including API keys, authentication tokens, and user credentials.
Security researchers noted that the vulnerability carries a CVSS severity score of 9.4, making it a critical security issue.
“Unauthenticated attackers can perform arbitrary reads from the database.”
Administrators Urged to Patch Immediately
Experts strongly recommend that website administrators immediately upgrade Ghost CMS installations to version 6.19.1 or later. In addition, organizations should rotate API keys, inspect server logs for suspicious API activity, and scan websites for unauthorized JavaScript modifications.
As a temporary mitigation, security professionals advise blocking suspicious slug:[ query patterns using WAF or reverse proxy rules until systems are fully patched.
