Ghost CMS SQL Injection CVE-2026-26980 Exploited

Ghost CMS SQL Injection Flaw Fuels Massive ClickFix Campaign

A critical SQL injection vulnerability in Ghost CMS is being actively exploited at scale. CVE-2026-26980 affects Ghost versions 3.24.0 through 6.19.0, and threat actors are using it to compromise sites, steal admin API keys, and inject malicious JavaScript that tricks visitors into running malware on their own machines.

XLab researchers at Qianxin confirmed infections across more than 700 domains. The list includes university portals (Harvard, Oxford, Auburn), DuckDuckGo, AI and SaaS companies, fintech firms, media outlets, and security blogs. The patch dropped on February 19, 2026, in version 6.19.1. A significant number of administrators never applied it, and now they are cleaning up compromises.

How the SQL Injection Attack Works

The attack chain is straightforward once you see it laid out. Attackers first send unauthenticated requests that exploit CVE-2026-26980 to read arbitrary data from the Ghost database. The target is the admin API key stored there.

With that key, they get full management access: users, articles, and themes. They use it to inject a lightweight JavaScript loader directly into article content. That loader calls out to attacker-controlled infrastructure to fetch a second-stage cloaking script.

The cloaking script fingerprints each visitor, checking things like browser environment and behavior to determine whether the person is a useful target. Visitors who pass the filter get served a fake Cloudflare verification prompt loaded inside an iframe overlaid on the article page. That prompt is the ClickFix lure.

The ClickFix Social Engineering Layer

ClickFix works by convincing users they need to manually verify themselves as human. The fake prompt tells visitors to open their Windows command prompt and paste a provided command. That command drops a payload.

XLab observed several different payloads being delivered, including DLL loaders, JavaScript droppers, and an Electron-based malware sample called UtilifySetup.exe. Attackers are not locked into one payload, which means the campaign infrastructure is flexible and actively maintained.

SentinelOne noted at least two distinct threat clusters targeting Ghost sites. In some cases, one cluster cleaned the other's injected script and replaced it with its own. Some domains were re-infected multiple times after cleanup, suggesting automated re-exploitation of unpatched instances.

What Developers and Site Owners Are Actually Risking

The direct impact is site compromise and visitor infection. If you run Ghost CMS on an older version, your admin API key may already be exposed. Anyone who visited your articles during the active injection window may have been served the ClickFix payload.

Beyond the immediate damage, your domain's reputation takes a hit. Search engines and browser security lists flag sites distributing malware. Rebuilding that trust takes longer than patching the CMS would have.

For developers who built products or integrations on top of Ghost, any API keys used across services connected to that Ghost installation should be treated as compromised until rotated.

How to Protect Your Ghost CMS Installation

The fix is direct. Update to Ghost CMS version 6.19.1 or later immediately. After updating, rotate all admin API keys. Keys present before the patch should be considered exposed regardless of whether you see obvious signs of compromise.

Audit your articles and theme files for injected script tags or unfamiliar iframe elements. XLab published indicators of compromise including known injected script patterns. Cross-reference your site content against those.

Maintain at least 30 days of admin API call logs. If you have logs available, review them for unusual read patterns or API calls that do not match your normal deployment activity. This retrospective visibility is what lets you determine the actual exposure window.

Running automated surface scanning on your Ghost instance can surface misconfigured endpoints or lingering injected content that manual review misses. A tool like VibeWShield's scanner can help identify exposed API endpoints and injected scripts before they reach your visitors.

For ongoing coverage of SQL injection campaigns and web vulnerability exploitation, see the VibeWShield blog.

What versions of Ghost CMS are affected by CVE-2026-26980? Ghost versions 3.24.0 through 6.19.0 are vulnerable. Version 6.19.1 and later include the fix.

If I already patched, do I need to rotate my API keys? Yes. The patch stops new exploitation, but any keys present before updating may have already been read from the database. Rotate them regardless of whether you see signs of active compromise.

How do I check if my site was already injected with malicious JavaScript? Review all article content and theme files for unfamiliar script tags or iframes. Cross-reference against the IoCs published by XLab. Running an automated scan against your live site can also surface injected content and unexpected external script sources.

Scan your Ghost CMS installation now for injected scripts and exposed endpoints at VibeWShield.