Ghost CMS flaw abused to push ClickFix attacks on hundreds of sites

Pierluigi Paganini
May 25, 2026

Threat actors are actively exploiting a security flaw, tracked as CVE-2026-26980, in Ghost CMS that was fixed months ago in real attacks against unpatched websites. According to Qianxin, the campaign has already affected more than 700 sites, including well-known organizations and universities.

The vulnerability is an SQL injection issue in Ghost’s Content API that can let an attacker read data from the database without logging in. In the worst case, this can expose the Admin API key, which can allow attackers to take over the site.

That key matters because it can be used to change published content. In this campaign, attackers used it to edit articles on compromised Ghost sites and insert malicious JavaScript at the end of pages. The goal was not just defacement, but to turn trusted websites into launch points for further malware delivery.

“After an in-depth investigation and analysis, we determined that this was not a targeted intrusion against the customer, but rather a large-scale poisoning campaign by an in-the-wild attack group targeting Ghost CMS. Although CVE-2026-26980 was publicly disclosed as early as February 19, a large number of users did not patch and upgrade in time, providing an opportunity for attackers.” reads the advisory published by Qianxin. “At least two groups are currently actively conducting such poisoning operations, and some sites have even become the target of competition between the two parties, with different malicious code being implanted one after another within a single day.”

The inserted code led visitors through a two-step chain. First, the page loaded a remote script that checked the browser and decided what the visitor should see. Then real victims were redirected to a fake verification page that looked like a normal “I’m human” check.

This is where the ClickFix part began. The page told users to press Windows+R, paste a command, and hit Enter. In practice, that command downloaded and started a malware payload on the victim’s machine. It was a classic social engineering trick: make the user do the dangerous part themselves.

Qianxin says the first signs of this activity appeared in early May. The malicious code found in the campaign had a compilation date of February 16, the same day Ghost announced the fix for CVE-2026-26980. That suggests the attackers moved quickly once they saw how many sites had not been updated.

The affected websites cover a wide range of sectors. Roughly half are personal blogs or independent sites, but the list also includes technology blogs, AI sites, media outlets, crypto projects, and educational institutions. Qianxin researchers say victims include sites linked to Harvard, Oxford, and DuckDuckGo.

The attack chain was also designed to be flexible. The loaders could fetch different payloads depending on the target, and the operators changed infrastructure several times.

“entire attack process has obvious five-stage characteristics of “CMS Takeover → Page Poisoning → Two-stage Loading → Social Engineering Lure (FakeCaptcha/ClickFix) → Malware Delivery”, and the entire process is highly automated: bulk vulnerability scanning → automatic key extraction → bulk injection → dynamic C2 distribution.” states the report.

In some cases, they switched domains after detection, keeping the campaign alive even when part of the chain was blocked.

“Through feature scanning of publicly accessible pages, we have cumulatively identified more than 700 poisoned victim domains, and have proactively contacted the sites for which contact information could be obtained, notifying them of the poisoning.” continues the report.

Qianxin also believes at least two different groups are involved. In some cases, the same site was hit more than once, with one attacker replacing the code left by another. That makes the campaign harder to clean up and shows how attractive compromised Ghost sites have become for abuse.

For site owners, the advice is straightforward. Ghost should be updated immediately, all credentials should be rotated, and site logs should be reviewed for suspicious admin API activity. Any injected scripts should be removed from the database itself, not just from the visual editor. Visitors who may have reached a poisoned site should also be warned.

The report includes Indicators of Compromise (IoCs) for the attacks observed by the researchers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon