HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Ghost CMS SQL Injection (CVE‑2026‑26980) Fuels Massive ClickFix Campaign Hijacking 700+ Education & Tech Sites

LiveThreat™ Intelligence · 📅 May 26, 2026· 📰 malwarebytes.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
HIGH
🏢
Affected
3 sector(s)
Actions
6 recommended
📰
Source
malwarebytes.com

Ghost CMS SQL Injection (CVE‑2026‑26980) Fuels Massive ClickFix Campaign Hijacking 700+ Education & Tech Sites

What It Is

A critical unauthenticated SQL injection flaw in Ghost’s Content API (CVE‑2026‑26980) allows attackers to read the database, steal the Admin API key, and inject malicious JavaScript into any Ghost‑powered site. The stolen key is used to serve a “ClickFix” payload that masquerades as a Cloudflare or CAPTCHA verification, prompting visitors to copy‑paste a Windows command that installs malware.

Exploitability

The vulnerability is publicly known, actively exploited, and has been weaponised in a large‑scale campaign. Exploit code is trivial (a crafted API request) and a patched Ghost release (≥ 6.20.0) is already available. CVSS v3.1 ≈ 9.8 (Critical) due to remote code execution via user‑initiated command.

Affected Products

  • Ghost CMS versions 3.24.0 – 6.19.0 (any deployment exposing the Content API).

TPRM Impact

  • Universities, online learning platforms, and tech‑company blogs that rely on Ghost for content delivery are prime targets.
  • Compromise of a single site can be leveraged to spread malware to thousands of end‑users, creating downstream supply‑chain risk for partner organizations that embed or reference the compromised content.
  • Theft of the Admin API key also enables content manipulation, data exfiltration, and brand‑damage attacks that affect vendor reputation.

Recommended Actions

  • Patch Immediately – Upgrade Ghost to the latest stable release (≥ 6.20.0) and verify the patch is applied across all environments.
  • Rotate Secrets – Regenerate Admin API keys for every affected instance and revoke any previously issued keys.
  • Audit Content – Scan all Ghost sites for unauthorized JavaScript injections; remove any suspicious scripts.
  • Implement WAF Rules – Block known SQL‑i payload patterns against the Content API endpoint.
  • User Awareness – Educate staff and end‑users to never copy‑paste commands from web pages, especially verification dialogs.
  • Monitor Logs – Enable detailed request logging for the Content API and set alerts for anomalous access patterns.

Source: https://www.malwarebytes.com/blog/bugs/2026/05/700-education-and-tech-websites-hijacked-in-huge-clickfix-malware-campaign

📰 Original Source
https://www.malwarebytes.com/blog/bugs/2026/05/700-education-and-tech-websites-hijacked-in-huge-clickfix-malware-campaign

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →