Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

Threat actors have exploited CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to compromise over 700 websites and inject malicious JavaScript for ClickFix attacks. The vulnerability carries a CVSS score of 9.4, indicating severe risk.

The flaw exists in Ghost's Content API and requires no authentication to exploit. Attackers inject code that redirects visitors to fake support pages, tricking users into believing their browsers are infected. This social engineering tactic pressures victims into downloading malware or paying for bogus remediation services.

QiAnXin XLab discovered the widespread campaign targeting Ghost installations. The scale of the compromise demonstrates how quickly threat actors weaponize newly disclosed vulnerabilities. Ghost CMS powers numerous content publishing platforms, making it an attractive target for attackers seeking high-traffic redirect opportunities.

The vulnerability allows unauthenticated attackers to read arbitrary data from the database, granting access to sensitive information stored on affected sites. The injection point in the Content API means attackers can manipulate queries without needing valid credentials, making remediation urgent for Ghost administrators.

ClickFix scams have grown increasingly prevalent over the past two years. The technique exploits user psychology rather than technical sophistication. When injected malicious code triggers on a website, victims see alarming pop-ups claiming virus detection or security breaches. The fake alerts include phone numbers for fake support teams that charge fees for fake fixes.

Site administrators running Ghost should immediately update to patched versions. Organizations hosting Ghost instances must verify their sites have not been compromised by checking JavaScript files and database logs for unauthorized modifications. Blocking malicious redirects at the CDN or WAF level provides temporary mitigation while updates deploy.

For users, skepticism toward pop-up warnings remains essential security hygiene. Legitimate browser vendors do not display security warnings through third