Full Report
Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks. According to QiAnXin XLab, the activity involves the exploitation of CVE-2026-26980 (CVSS score: 9.4), an SQL injection vulnerability in Ghost's Content API that could allow an unauthenticated attacker to read arbitrary data from the
Analysis Summary
# Vulnerability: Critical SQL Injection in Ghost CMS Content API
## CVE Details
- **CVE ID:** CVE-2026-26980
- **CVSS Score:** 9.4 (Critical)
- **CWE:** SQL Injection (CWE-89)
## Affected Systems
- **Products:** Ghost CMS
- **Versions:** Versions prior to 6.19.1
- **Configurations:** Systems utilizing the Ghost Content API
## Vulnerability Description
An unauthenticated SQL injection vulnerability exists in the Ghost Content API. A remote attacker can exploit this flaw to read arbitrary data from the database. Most critically, this allows an attacker to retrieve the **Admin API Key**. With this key, the attacker gains administrative control via the Admin API, enabling them to modify existing articles or inject malicious code into the CMS frontend.
## Exploitation
- **Status:** Exploited in the wild (fueled "ClickFix" campaigns)
- **Complexity:** Low
- **Attack Vector:** Network (Remote/Unauthenticated)
## Impact
- **Confidentiality:** High (Full database read access, including API keys)
- **Integrity:** High (Ability to modify, inject, or tamper with all site content)
- **Availability:** Medium (Potential for site disruption or account lockout)
## Remediation
### Patches
- **Ghost CMS 6.19.1 or later:** Users should update immediately to this version or the latest available maintenance release.
### Workarounds
- **Restrict API Access:** If updates cannot be applied immediately, restrict access to the Content and Admin APIs to trusted IP addresses only.
- **Audit Admin API Keys:** Rotate all Admin API keys if there is any suspicion of compromise.
## Detection
- **Indicators of Compromise (IoCs):**
- **Injected Scripts:** Look for unauthorized JavaScript loaders at the bottom of articles, specifically referencing external domains such as `clo4shara[.]xyz`.
- **Suspicious API Activity:** Monitor logs for unauthorized or voluminous calls to the Admin API originating from unknown IP addresses.
- **ClickFix Artifacts:** Presence of fake CAPTCHA iframes attempting to trick users into running PowerShell or Windows Run commands.
- **Detection Methods:**
- Audit Ghost CMS database for any modifications to the `posts` or `pages` tables that include unknown script tags.
- Use web integrity monitoring to detect changes in published content.
## References
- **Vendor Advisory:** [https://github[.]com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97]
- **Threat Research:** [https://blog[.]xlab[.]qianxin[.]com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/]
- **Security Database:** [https://www[.]sentinelone[.]com/vulnerability-database/cve-2026-26980/]