Mitigating the Ghost CMS ClickFix Wave (CVE-2026-26980)
Hey everyone, looks like Ghost CMS is getting hammered right now.
According to QiAnXin XLab, CVE-2026-26980 (CVSS 9.4) is being actively exploited in the wild to hijack over 700 sites. This is an unauthenticated SQL injection vulnerability specifically affecting the Ghost Content API.
The concerning part is the payload delivery. Threat actors aren't just dumping data; they are leveraging this flaw to inject malicious JavaScript directly into site content to fuel ClickFix attacks (those notorious fake browser update scams).
If you manage any Ghost instances, you need to prioritize patching immediately. If you can't patch right now, restrict access to the /ghost/api/v*/content/ endpoints via IP whitelisting.
For those looking to hunt for compromises, check your posts table for injected script tags. You can run a quick SQL check if you have direct DB access:
SELECT id, title FROM posts WHERE html LIKE '%<script%' AND html NOT LIKE '%cdn.jsdelivr.net%';
(Adjust the exclusion list based on your trusted JS sources).
Also, keep an eye on your access logs for anomalous API usage patterns. Has anyone detected this on their perimeter yet? I'm interested to see if standard SQLi signatures are catching the API requests or if the API structure is bypassing them.
We caught a few of these yesterday. The SQLi requests looked like standard API calls to our SIEM, but the user-agents were weird. We added a Sigma rule to correlate high-frequency 200 OK responses on the Content API from single IPs.
Here is a basic grep we used on the nginx access logs to spot the scanning attempts:
grep "POST /ghost/api" /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head
Just patched our staging instances. The vulnerability allows reading arbitrary data, but in this campaign, they are updating the posts table via the SQLi to insert the JS.
Make sure you check your mobiledoc or html columns. Also, enabling Ghost's built-in CSP headers (if not already) can mitigate the impact of the XSS even if the injection happens, preventing the ClickFix payload from loading external scripts.
The exploit works because the Content API endpoint fails to properly sanitize user input passed to a SQL query. It's a classic blind/time-based scenario in some cases, or union-based in others.
If you can't patch, look at ModSecurity rules. Something like blocking UNION SELECT or WAITFOR DELAY specifically on the ghost/api paths is a decent stopgap, though obviously not a replacement for the fix.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access