Threats

Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

Attackers exploited an SQL injection vulnerability in Ghost CMS, tracked as CVE-2026-26980, to compromise more than 700 websites running the popular open-source publishing platform. The injected payloads presented visitors with fake CAPTCHA verification pages that, when interacted with, executed malicious scripts delivering ClickFix malware. This technique — known as a ClickFix campaign — leverages the trust users place in legitimate websites and the familiarity of CAPTCHA challenges to bypass suspicion. The scale of the compromise highlights the cascading impact of vulnerabilities in widely deployed CMS platforms, where a single flaw can turn hundreds of trusted domains into malware distribution points. Ghost CMS administrators should urgently apply patches and audit their installations for injected content, even if the vulnerability itself has been remediated.

View on Graph

Overview

  • Attackers exploited an SQL injection vulnerability in Ghost CMS, tracked as CVE-2026-26980, to compromise more than 700 websites running the popular open-source publishing platform.
  • The injected payloads presented visitors with fake CAPTCHA verification pages that, when interacted with, executed malicious scripts delivering ClickFix malware.
  • This technique — known as a ClickFix campaign — leverages the trust users place in legitimate websites and the familiarity of CAPTCHA challenges to bypass suspicion.
  • The scale of the compromise highlights the cascading impact of vulnerabilities in widely deployed CMS platforms, where a single flaw can turn hundreds of trusted domains into malware distribution points.
  • Ghost CMS administrators should urgently apply patches and audit their installations for injected content, even if the vulnerability itself has been remediated.

Sources