Ghost CMS CVE-2026-26980 SQL Injection Exploited in Large-Scale ClickFix Campaign: What Site Owners Must Do Now

Ghost CMS CVE-2026-26980 is a critical SQL injection flaw actively exploited across 700 domains. Learn what versions are affected and how to fix it now.

A critical SQL injection vulnerability in Ghost CMS is being exploited across more than 700 domains in a large-scale ClickFix campaign. Ghost CMS is used by more than 57,000 websites, including 404 Media, The Canadian Government, and Duolingo. Tracked as CVE-2026-26980, the flaw lets unauthenticated attackers extract sensitive data from the Ghost database, including admin API keys, and use those keys to inject malicious JavaScript into published articles.

Ghost CMS CVE-2026-26980 SQL Injection Exploited in Large-Scale ClickFix Campaign: What Site Owners Must Do Now

If your site runs Ghost CMS version 3.24.0 through 6.19.0 and has not been updated to 6.19.1, treat it as a target.

What Is CVE-2026-26980?

CVE-2026-26980 is a SQL injection vulnerability in Ghost’s Content API. The flaw lives in the slug filter ordering functionality, where the original code embedded user-supplied slug values directly into SQL CASE statements using string concatenation instead of parameterized queries.

Because Ghost’s Content API key is public by design, this vulnerability requires no authentication. Any attacker with network access to a Ghost instance can send a crafted API request, inject SQL syntax, and read arbitrary data from the underlying database. The attack surface is completely open to external traffic.

NIST rates CVE-2026-26980 at 7.5 HIGH. GitHub’s own security team rates it 9.4 CRITICAL. The higher CNA score reflects the full exploitation chain: extracting admin API keys gives write access to all site content, not just database read access.

Ghost patched the flaw in version 6.19.1 on February 19, 2026, by replacing string concatenation with parameterized query bindings.

How Attackers Exploit CVE-2026-26980 to Hijack Your Ghost Site

XLab threat intelligence researchers at Qianxin discovered the active campaign and confirmed exploitation across more than 700 domains. Compromised sites include Harvard University, Oxford University, Auburn University, and DuckDuckGo.

Attackers follow a consistent multi-stage chain across every compromised site:

Stage 1: SQL injection via the Content API

Attackers send a malicious Content API request with injected SQL in the slug filter ordering parameter. The vulnerable code processes the injection and returns admin API keys directly from the database.

Stage 2: JavaScript injection into articles

Using the stolen admin API key, attackers call the Ghost admin API and modify published articles to embed a lightweight JavaScript loader. The loader is designed to blend in with normal page scripts.

Stage 3: Second-stage payload delivery

The JavaScript loader fetches obfuscated second-stage code from attacker-controlled infrastructure. That code fingerprints each visitor to filter for viable targets based on device type, browser, and network signals.

Stage 4: ClickFix lure

Visitors who pass the fingerprint check see a fake Cloudflare verification page loaded via an iframe layered over the article content. The page instructs victims to verify they are human by pasting a provided command into their Windows command prompt. That command downloads and executes a payload on the victim’s machine.

XLab documented multiple payload types across compromised sites, including DLL loaders, JavaScript droppers, and an Electron-based installer named UtilifySetup.exe.

SentinelOne identified at least two distinct threat clusters targeting vulnerable Ghost installations. The clusters competed directly: one cleaned the other’s injected script and replaced it with its own. Some domains were re-infected within hours of cleanup.

The ClickFix technique works because it bypasses browser and OS defenses entirely. The victim executes the malware themselves by following on-screen instructions that appear legitimate.

Which Ghost CMS Versions Are Vulnerable to CVE-2026-26980?

CVE-2026-26980 affects:

  • Ghost CMS versions 3.24.0 through 6.19.0
  • All self-hosted Ghost installations within this version range
  • Managed Ghost deployments that have not applied the 6.19.1 update

The 700-domain figure reflects confirmed XLab findings at the time of reporting. The total number of affected sites is likely higher because many Ghost site owners have not audited their version status or reviewed their admin API logs.

Attackers targeted sites across industries and sizes without discrimination. Universities, AI and SaaS companies, fintech platforms, security blogs, media outlets, and personal sites were all compromised. This is consistent with opportunistic mass exploitation: automated scanners identify every reachable vulnerable version and hit them all, regardless of the site’s traffic or perceived value.

How to Fix CVE-2026-26980

1. Upgrade to Ghost 6.19.1 or Later

This is the only complete fix. Run the following commands on your Ghost server:

# Upgrade Ghost to the patched version
ghost update

# Verify the installed version
ghost version

The version check output must confirm 6.19.1 or higher before you proceed to any other step.

2. Rotate All Admin API Keys

Admin API keys present before the upgrade may have been extracted. Go to your Ghost admin panel and rotate every API key. Revoke any previously issued tokens.

Ghost’s own advisory treats key rotation as mandatory, not optional. Attackers who extracted your keys before you patched can continue using them until you revoke them.

3. Audit All Published Articles and Active Themes

Check every published article and active theme for injected JavaScript. XLab published indicators of compromise (IoCs) that include injected script signatures. Compare your article HTML against those signatures to locate and remove any malicious code.

4. Review Admin API Logs for the Past 30 Days

XLab recommends maintaining a 30-day record of admin API call logs to support retrospective investigation. Review those logs for unusual read patterns, unexpected write operations to article endpoints, or requests from unfamiliar IP addresses.

5. Deploy a Temporary WAF Rule if Immediate Patching Is Not Possible

A reverse proxy or Web Application Firewall rule can block Content API requests that contain slug%3A%5B or slug:[ in the query string filter parameter. Note that this workaround can break legitimate slug filter functionality, and it does not replace upgrading Ghost.

The Vulnerable Code and the Fix

The root cause is in Ghost’s slug-filter-order.js utility. The original code built SQL strings by interpolating user-supplied slug values directly:

// Vulnerable code (before patch)
order += `WHEN \`${table}\`.\`slug\` = '${slug}' THEN ${index} `;

This pattern lets attackers break out of the string context and inject arbitrary SQL. The patch replaces this with parameterized bindings:

// Patched code (Ghost 6.19.1)
caseParts.push(`WHEN \`${table}\`.\`slug\` = ? THEN ?`);
bindings.push(slug.trim(), index);

User-supplied values are now passed as bound parameters. The database engine treats them as data, not executable SQL.

Why Removing the Injected Script Does Not Fix CVE-2026-26980

Several site owners removed the injected JavaScript without patching the underlying SQL injection flaw. XLab documented multiple cases where the same domains were re-infected within hours of cleanup. The attacker infrastructure automatically re-exploits known-vulnerable targets on a continuous basis.

Removing the malicious script while leaving CVE-2026-26980 unpatched does not protect your site or your visitors. The only path to recovery is upgrading to Ghost 6.19.1, rotating all admin API keys, and confirming your article content is clean.

Related Tech Guides

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply