Contact us
Contact us

News

About

Home Crypto News 700+ university and tech sites hijacked via Ghost CMS bug

700+ university and tech sites hijacked via Ghost CMS bug

Author Whitewallet Research
Posted: 26 May 2026, 11:35 CET 2 min read

Attackers exploited Ghost CMS SQL injection CVE-2026-26980 to steal Admin API keys and inject fake Cloudflare checks that prompt users to run Windows commands installing malware.

Attackers exploited a critical SQL injection vulnerability in the Ghost content management system, tracked as CVE-2026-26980, to hijack more than 700 university and technology websites. The attackers stole administrative API keys and injected malicious JavaScript that presents fake Cloudflare or CAPTCHA checks to site visitors.

The injected script launches a ClickFix social engineering flow that instructs users to copy and paste a command into the Windows Run dialog or PowerShell. Executing those commands downloads and installs malware on the visitor’s device. Researchers observed pressure techniques on altered pages, including countdown timers and fake user counters, to push visitors into following the instructions quickly.

The flaw affects Ghost versions 3.24.0 through 6.19.0 and can be exploited without authentication. Using the vulnerability, attackers read site databases, extracted Admin API keys and used those keys to modify posts and pages and insert scripts across compromised sites.

Researchers wrote: “Without any authentication, an attacker can directly read the database contents through this vulnerability, including the Admin API Key used to call the Ghost Admin API.” With a stolen Admin API key, attackers can edit, delete or create posts, change themes and otherwise modify site content and appearance.

A patched Ghost release is available. Researchers and security practitioners recommend that site operators apply the vendor update, rotate any exposed Admin API keys, review recent content and theme changes for unauthorized edits, check logs for unexpected Admin API activity and restore clean backups where available.

For users, the incident illustrates a ClickFix tactic in which trusted websites deliver urgent technical instructions that lead to local command execution. Guidance from researchers includes not running commands copied from web pages, verifying suspicious technical instructions with official site support or documentation, typing commands manually if they must be run, and keeping endpoint anti-malware and browser protections up to date.

Ghost is an open-source CMS used by media outlets, universities and technology companies. The vulnerability’s ability to expose administrative keys without login increases risk for multi-site deployments and for organizations that delegate publishing to multiple users.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE