Ghost CMS SQL Injection (CVE‑2026‑26980) Fuels Massive ClickFix Campaign Hijacking 700+ Education & Tech Sites
What It Is
A critical unauthenticated SQL injection flaw in Ghost’s Content API (CVE‑2026‑26980) allows attackers to read the database, steal the Admin API key, and inject malicious JavaScript into any Ghost‑powered site. The stolen key is used to serve a “ClickFix” payload that masquerades as a Cloudflare or CAPTCHA verification, prompting visitors to copy‑paste a Windows command that installs malware.
Exploitability
The vulnerability is publicly known, actively exploited, and has been weaponised in a large‑scale campaign. Exploit code is trivial (a crafted API request) and a patched Ghost release (≥ 6.20.0) is already available. CVSS v3.1 ≈ 9.8 (Critical) due to remote code execution via user‑initiated command.
Affected Products
- Ghost CMS versions 3.24.0 – 6.19.0 (any deployment exposing the Content API).
TPRM Impact
- Universities, online learning platforms, and tech‑company blogs that rely on Ghost for content delivery are prime targets.
- Compromise of a single site can be leveraged to spread malware to thousands of end‑users, creating downstream supply‑chain risk for partner organizations that embed or reference the compromised content.
- Theft of the Admin API key also enables content manipulation, data exfiltration, and brand‑damage attacks that affect vendor reputation.
Recommended Actions
- Patch Immediately – Upgrade Ghost to the latest stable release (≥ 6.20.0) and verify the patch is applied across all environments.
- Rotate Secrets – Regenerate Admin API keys for every affected instance and revoke any previously issued keys.
- Audit Content – Scan all Ghost sites for unauthorized JavaScript injections; remove any suspicious scripts.
- Implement WAF Rules – Block known SQL‑i payload patterns against the Content API endpoint.
- User Awareness – Educate staff and end‑users to never copy‑paste commands from web pages, especially verification dialogs.
- Monitor Logs – Enable detailed request logging for the Content API and set alerts for anomalous access patterns.
Source: https://www.malwarebytes.com/blog/bugs/2026/05/700-education-and-tech-websites-hijacked-in-huge-clickfix-malware-campaign