Skip to content

Ghost CMS CVE-2026-26980 ClickFix poisoning

Summary

CVE-2026-26980 is a critical unauthenticated SQL-injection vulnerability in Ghost's Content API, patched in Ghost 6.19.1, that can expose site database contents including Ghost Admin API keys. QiAnXin XLab reports that at least two threat clusters exploited the flaw in the wild to steal Admin API keys, bulk-modify Ghost posts through the Admin API, and inject JavaScript loaders that turn trusted Ghost sites into ClickFix / FakeCaptcha malware-delivery infrastructure.

The durable threat-intelligence value is mass CMS poisoning: XLab identified more than 700 contaminated Ghost domains across personal sites, SaaS/tech blogs, AI, Web3, education, media, security research, fintech, and other sectors. The campaign converts legitimate content sites into browser-to-malware delivery points while preserving attacker flexibility through remote cloaking and payload switching.

Tags

Why this matters

  • The exploitation path crosses a dangerous boundary: an unauthenticated read primitive can recover Admin API keys, and those keys can then directly modify site content at scale.
  • Visitors often trust legitimate Ghost-hosted articles, so injected FakeCaptcha / ClickFix flows inherit credibility from real universities, SaaS companies, media sites, security blogs, Web3 projects, and personal publications.
  • The injected first-stage loaders are thin and durable; attackers can swap domains, payloads, targeting logic, or geofencing server-side without re-compromising every site.
  • XLab observed competition between at least two clusters on the same victims, meaning cleanup that only removes one script or one domain may leave a site vulnerable to reinfection or a second actor's implant.
  • Stolen Ghost configuration and credentials can support later lateral movement against adjacent business systems even after the public site is cleaned.

Operational characteristics

  • Initial access: attackers exploit Ghost Content API SQL injection in CVE-2026-26980. GitHub's advisory covers Ghost v3.24.0 through v6.19.0; 6.19.1 contains the fix.
  • Key theft: exploitation can read database contents, including Admin API keys. XLab says attackers used those keys to call Ghost Admin API endpoints and bulk-modify published posts.
  • Page poisoning: injected article-footers load remote JavaScript from attacker infrastructure. Actor A used loader characteristics such as ghost_once_footer_, atob(...), appendChild, and btoa(a.origin) to identify the victim origin and fetch the next stage.
  • Cloaking and distribution: XLab describes a two-stage loader that reached clo4shara[.]xyz/11z77u3.php, later com-apps[.]cc/11z77u3.php, and similar endpoints. The distribution script collected browser/environment fingerprints and used Adspect-style cloaking to route real victims while showing benign content to crawlers or scanners.
  • Social engineering: eligible victims received a forged Cloudflare-style verification page. The page guided users through Win+R / paste / Enter ClickFix steps while staging ZIP or script payloads from attacker domains.
  • Payload evolution: early payloads downloaded Rust installer.dll via Storj links and launched it with rundll32; later payload paths delivered NotepadPlusPlus.dll, JavaScript downloaders, and UtilifySetup.exe, an Inno Setup / Electron application derived from Grape that persisted with Electron login-item APIs and polled web-telegram[.]ug every 30 seconds for commands.
  • Second cluster: XLab also observed a cluster using /api/css.js infrastructure such as staticcloudflare[.]pro and script-dev[.]digital; one decoded delivery URL was cdnupdatenews[.]top/dl?fid=38. XLab notes roughly 500 suspicious domains with the same URI pattern and some VirusTotal linkage to Aeternum, but did not fully attribute the cluster.
  • Timeline: XLab detected the first client incident on 2026-05-07, enumerated 156 victims by 2026-05-10, observed Actor A domain/payload changes on 2026-05-16, and identified 700+ contaminated domains plus a second actor by 2026-05-17.

Defender heuristics

  • Upgrade Ghost to 6.19.1 or later immediately; do not rely on hiding Content API keys because the Content API key is public by design and Ghost states there is no application-level workaround.
  • Rotate Admin API keys, Content API keys, staff/admin passwords, sessions, and any adjacent credentials exposed in Ghost configuration after a suspected exploitation window.
  • Search Ghost content at the database level, not only through the editor UI, for injected <script> fragments and fingerprints including ghost_once_footer_, sj.ssc/ipa/, atob( plus appendChild, and btoa(a.origin).
  • Review Ghost Admin API logs for abnormal PUT /ghost/api/admin/posts/:id/ requests, especially unfamiliar IPs, unusual user agents, bursts of bulk post edits, or edits shortly after suspicious Content API filter requests.
  • Check Code Injection settings, themes, and template files for unexpected script tags; attackers may use multiple persistence locations.
  • Hunt proxy/WAF/web logs for Content API requests containing suspicious filter encodings such as slug%3A%5B or slug:[, which Ghost lists as a temporary blocking pattern for this SQL-injection class.
  • For visitors exposed during the contamination period, communicate the ClickFix risk and look for downloads or browser history involving cloud-verification[.]com, com-apps[.]cc, jalwat[.]com, taketwolabs[.]com, or related domains.
  • Preserve Ghost database snapshots, access logs, Admin API logs, reverse-proxy logs, WAF events, and filesystem mtimes before cleanup so post-exploitation scope can be reconstructed.

Sources

  • QiAnXin XLab: https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/
  • Ghost / GitHub Security Advisory GHSA-w52v-v783-gw97: https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97
  • The Hacker News: https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html
  • CVE record: https://www.cve.org/CVERecord?id=CVE-2026-26980