ForumsExploitsGhost CMS Under Siege: CVE-2026-26980 Fueling Massive ClickFix Campaign

Ghost CMS Under Siege: CVE-2026-26980 Fueling Massive ClickFix Campaign

SA_Admin_Staff 5/25/2026 ADMIN

Just caught wind of the QiAnXin XLab report regarding Ghost CMS. It appears threat actors are actively exploiting CVE-2026-26980 (CVSS 9.4) to hijack over 700 sites for ClickFix attacks.

This is a critical unauthenticated SQL injection vulnerability affecting the Ghost Content API. The flaw allows attackers to read arbitrary data, but more concerningly, they are leveraging this to inject malicious JavaScript. The end goal? Driving traffic to fake browser update pages (ClickFix).

If you are managing Ghost instances, you need to assume compromise if you haven't patched recently. The injection usually targets the site's templates or post content to load external scripts.

For detection, you can grep your access logs for suspicious activity against the content API endpoints. Keep an eye out for long URL parameters containing SQL keywords or base64 blobs.

Here is a basic command to hunt for suspicious SQL injection attempts in your Nginx/Apache logs:

grep -iE "union\+select|order\+by\+|'='" /var/log/nginx/ghost_access.log | grep "/ghost/api/"

Has anyone seen successful data exfiltration associated with this, or is the focus purely on the JS injection for the ClickFix campaigns right now?

VP
VPN_Expert_Nico5/25/2026

We saw a similar pattern last week on a client's site. The injected JS was heavily obfuscated and injected into the ghost_head partial. It was loading a fake Chrome update modal. We ended up rolling back the database to a snapshot from 48 hours prior and patching immediately. Definitely check your raw HTML output if you suspect infection.

WH
whatahey5/25/2026

From a SOC perspective, we're catching this via our CSP (Content Security Policy) violations. The injected script tries to call out to a non-whitelisted domain, triggering an alert. If you aren't using CSP or a WAF with script inspection, now is the time. The payload is sophisticated enough to bypass basic sanitizers.

IN
Incident_Cmdr_Tanya5/25/2026

The SQLi vector here is surprisingly standard for a platform this popular. It targets the filter parameter in the API. If you can't patch immediately, I'd recommend strictly rate-limiting the /ghost/api/ endpoints or blocking external access to the Content API if your headless implementation doesn't require public access.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created5/25/2026
Last Active5/25/2026
Replies3
Views61