Ghost CMS flaw hijacked to target hundreds of websites with ClickFix attacks — here’s how to stay safe
- Researchers warn CVE‑2026‑26980, a critical SQL injection flaw in Ghost CMS (score 9.4), is being exploited in a large ClickFix campaign
- Over 700 domains, including Harvard, Oxford, DuckDuckGo, and major AI/SaaS firms, were compromised to deliver malware via DLL loaders, JS droppers, and Electron‑based payloads
- Admins should urgently upgrade to Ghost 6.19.1 or later and monitor 30‑day admin API logs to detect potential compromise
A critical-severity vulnerability that reportedly was patched three months ago is being exploited in a massive ClickFix campaign, researchers have claimed.
In mid-February 2026, a critical SQL injection vulnerability was found in Ghost CMS, a popular open-source Content Management System (CMS) currently used by more than 57,000 websites, including the likes of 404 Media, The Canadian government, and Duolingo.
The flaw, tracked as CVE-2026-26980 and affecting Ghost 3.24.0 through 6.19.0, was assigned a severity score of 9.4/10 (critical), as it potentially allows unauthenticated attackers to perform arbitrary reads from the database, which grants management access to users, articles, themes, as well as article pages.
Deploying various malware
However, many users most likely did not patch, as Chinese cybersecurity firm Qianxin claims more than 700 domains were compromised to serve ClickFix attack flows.
Among them are Harvard University, Oxford University, Auburn University, DuckDuckGo, and many AI/SaaS company sites, media outlets, fintech firms, and others.
ClickFix is a type of scam in which attackers tell the victims they have a problem (which they don’t) and then provide the solution (which it really isn’t). The “solution”, however, just deploys a piece of malware, and depending on the attackers and the targets, it can vary from classic backdoors to ransomware encryptors.
In this campaign, the researchers saw DLL loaders, JavaScript droppers, and a generic Electron-based malware being distributed.
The best way to mitigate the threat is to simply upgrade the Ghost CMS either to version 6.19.1, or whatever the latest version is at the moment. Website owners are also advised to keep a 30-day record of admin API call logs, just to keep track of potential compromise.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
