Attackers are actively exploiting a critical SQL injection vulnerability in Ghost CMS to hijack publisher sites and redirect their readers toward Windows malware, with researchers identifying more than 700 compromised domains — including Harvard University, Oxford University, Auburn University, and DuckDuckGo — all running unpatched installations months after a fix became available.
CVE-2026-26980: SQL Injection in Ghost CMS 3.24.0 Through 6.19.0
The vulnerability, tracked as CVE-2026-26980, affects Ghost CMS versions 3.24.0 through 6.19.0. Researchers at XLab documented the active exploitation campaign and found that attackers use the SQL injection flaw to steal administrator API keys from vulnerable installations. Once admin credentials are in hand, the attackers inject malicious JavaScript directly into published articles across the compromised site.
The patch — Ghost version 6.19.1 — was released on February 19, 2026, but the scope of the ongoing campaign reflects how many installations went unpatched in the months that followed.
How the Ghost CMS Attack Chain Delivers ClickFix Malware to Site Visitors
The full attack chain extends well beyond the initial server-side compromise. The injected JavaScript loads a cloaking script that fingerprints each visitor before presenting them with a fake Cloudflare verification prompt. That prompt is a ClickFix lure: it instructs the visitor to paste a command into the Windows command prompt, claiming it is necessary for page access.
When a visitor follows the instructions, DLL loaders and a file called UtilifySetup.exe execute on the victim’s machine. The attack chain is designed to infect readers of the compromised site, not only the site’s administrators. Each hijacked Ghost CMS installation effectively becomes a malware distribution node for its entire readership.
Compromised Organizations and the 700-Domain Scale
XLab identified over 700 domains running compromised Ghost CMS installations at the time of disclosure. The affected sites span independent publishers, AI and SaaS companies, media outlets, fintech firms, and security research organizations — along with high-profile educational institutions including Harvard, Oxford, and Auburn University, as well as the privacy-focused search engine DuckDuckGo.
Ghost CMS is widely deployed by organizations and individuals who use it for independent publishing, corporate communications, and security research blogs. The combination of high-trust publisher domains with a ClickFix social engineering layer means the campaign targets audiences that may have strong reason to trust the sites serving them malicious content.
Remediation: Ghost 6.19.1 Patch and API Key Rotation
XLab’s research and Ghost’s own advisory both point to the same immediate remediation path: upgrade to Ghost 6.19.1 or later. The patch closes the SQL injection flaw that allows API key theft.
Admin API Log Review and Forensic Investigation Window
Upgrading alone does not address installations that were compromised before patching. XLab recommends rotating all admin API keys immediately after upgrading, since stolen keys remain valid after the underlying vulnerability is closed. Administrators should also maintain and review 30 days of admin API logs to identify whether unauthorized API access occurred before the patch was applied.
Sites that served compromised articles to readers before remediation should consider whether reader notification or takedown of affected article versions is warranted, given that the injected JavaScript was designed to actively execute malware on visitor machines.
Ghost CMS site operators who have not yet applied the February 19 patch should treat this as an emergency update. The active exploitation campaign, the publicly documented attack chain, and the large number of already-compromised high-profile sites indicate that automated scanning and exploitation against unpatched installations is ongoing.
