Critical SQL Injection in Ghost CMS (CVE‑2026‑26980) Powers Large‑Scale ClickFix Campaign
What It Is – Ghost CMS (versions 3.24.0‑6.19.0) contains an unauthenticated SQL‑injection (CVE‑2026‑26980) that lets attackers read arbitrary database rows, including admin API keys, and then inject malicious JavaScript. The flaw is being leveraged in a coordinated “ClickFix” campaign that serves fake Cloudflare verification prompts to harvest Windows command‑line payloads.
Exploitability – Active exploitation confirmed on >700 domains; public PoC and IoC feeds exist. CVSS v3.1 base score 9.8 (Critical).
Affected Products – Ghost CMS 3.24.0 through 6.19.0 (open‑source publishing platform).
TPRM Impact – The vulnerability resides in a third‑party content‑management system used by universities, SaaS providers, fintech firms, and media outlets. Compromise of admin API keys can lead to supply‑chain injection of malware, credential leakage, and downstream data exfiltration affecting your downstream customers and partners.
Recommended Actions –
- Immediately upgrade all Ghost installations to 6.19.1 or later.
- Rotate every admin API key that existed before the upgrade.
- Deploy the XLab/SentinelOne IoC list to scan for injected scripts and second‑stage loaders.
- Enforce a 30‑day retention of admin API call logs for forensic review.
- Verify that any third‑party sites you rely on (e.g., partner blogs, embedded widgets) have patched Ghost.
Source: BleepingComputer – Ghost CMS SQL injection flaw exploited in large‑scale ClickFix campaign