HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical SQL Injection in Ghost CMS (CVE‑2026‑26980) Powers Large‑Scale ClickFix Campaign

A critical unauthenticated SQL injection (CVE‑2026‑26980) in Ghost CMS is being weaponised in a large‑scale ClickFix campaign that has compromised over 700 domains, including university portals and fintech sites. Attackers steal admin API keys, inject malicious JavaScript, and deliver Windows‑based payloads, creating a high‑risk supply‑chain threat for organisations that rely on third‑party Ghost sites.

LiveThreat™ Intelligence · 📅 May 24, 2026· 📰 bleepingcomputer.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
5 recommended
📰
Source
bleepingcomputer.com

Critical SQL Injection in Ghost CMS (CVE‑2026‑26980) Powers Large‑Scale ClickFix Campaign

What It Is – Ghost CMS (versions 3.24.0‑6.19.0) contains an unauthenticated SQL‑injection (CVE‑2026‑26980) that lets attackers read arbitrary database rows, including admin API keys, and then inject malicious JavaScript. The flaw is being leveraged in a coordinated “ClickFix” campaign that serves fake Cloudflare verification prompts to harvest Windows command‑line payloads.

Exploitability – Active exploitation confirmed on >700 domains; public PoC and IoC feeds exist. CVSS v3.1 base score 9.8 (Critical).

Affected Products – Ghost CMS 3.24.0 through 6.19.0 (open‑source publishing platform).

TPRM Impact – The vulnerability resides in a third‑party content‑management system used by universities, SaaS providers, fintech firms, and media outlets. Compromise of admin API keys can lead to supply‑chain injection of malware, credential leakage, and downstream data exfiltration affecting your downstream customers and partners.

Recommended Actions

  • Immediately upgrade all Ghost installations to 6.19.1 or later.
  • Rotate every admin API key that existed before the upgrade.
  • Deploy the XLab/SentinelOne IoC list to scan for injected scripts and second‑stage loaders.
  • Enforce a 30‑day retention of admin API call logs for forensic review.
  • Verify that any third‑party sites you rely on (e.g., partner blogs, embedded widgets) have patched Ghost.

Source: BleepingComputer – Ghost CMS SQL injection flaw exploited in large‑scale ClickFix campaign

📰 Original Source
https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →