A critical SQL‑injection flaw (CVE‑2026‑26980) in Ghost CMS’s Content API is being weaponized by multiple threat groups. Attackers steal admin API keys, inject malicious JavaScript loaders, and launch large‑scale ClickFix campaigns that deliver Windows payloads via fake CAPTCHA pages. The article explains how the exploit works, why it matters, and what operators should do to protect their sites.
)
Ghost CMS CVE‑2026‑26980 – a high‑severity (CVSS 9.4) SQL injection in the Content API – has moved from a disclosed bug to an active, large‑scale weapon. Since early May, more than 700 Ghost installations across universities, SaaS platforms, fintech firms and AI research sites have been compromised, with attackers using the flaw to inject JavaScript loaders that fuel “ClickFix” attacks.
How the vulnerability works
The bug lives in the endpoint that serves public content via the Content API. By crafting a specially‑formed request, an unauthenticated attacker can execute arbitrary SQL, read the settings table and extract the admin API key. That key is effectively a master password for the Ghost Admin API – it lets the holder create, edit or delete any post, page or theme.
"The admin API key is the single point of trust for a Ghost instance. Once an attacker has it, they can rewrite the entire site without ever touching the underlying server," explains Dr. Lina Cheng, senior security researcher at QiAnXin XLab.
With the key in hand, the threat actors call the Admin API to bulk‑update articles. They append a two‑stage JavaScript loader at the bottom of each page. The loader contacts a remote domain (clo4shara[.]xyz/11z77u3.php) that hosts a traffic‑distribution script powered by the commercial cloaking service Adspect. The script fingerprints the visitor’s browser, decides whether the request looks like a real user, and then serves one of 19 possible commands – ranging from a simple redirect to a full‑blown payload drop.
The ClickFix chain
- Loader execution – The injected script runs silently when a visitor loads the compromised article.
- Fingerprint & decision – Adspect checks for headless browsers, known scanner user‑agents, and other heuristics.
- Fake CAPTCHA – If the visitor passes the check, the script injects an iframe that displays a bogus CAPTCHA page.
- User interaction – The page instructs the victim to copy a Base64‑encoded string into the Windows Run dialog.
- Dropper – The decoded command launches a PowerShell one‑liner that downloads a DLL or a JavaScript payload.
- Final payload – The DLL is executed via
rundll32.exeand delivers a signed PuTTY binary; the JavaScript payload drops an Inno Setup installer for a modified Grape Electron client. The client connects back toweb‑telegram[.]ugevery 30 seconds, awaiting further commands.
The end result is a stealthy Windows executable on the victim’s machine, often used for credential harvesting, lateral movement or ransomware deployment.
Why this campaign matters
- Scale – Over 700 sites compromised in less than three weeks, with some clusters updating an entire site in a single day.
- Legitimacy – Victims include reputable universities and fintech services, which boosts user trust and makes the fake CAPTCHA more convincing.
- Modular payloads – The two‑stage loader lets attackers swap the final payload without touching the compromised Ghost instances, extending the campaign’s lifespan.
- Supply‑chain risk – Many of the affected sites host third‑party themes and plugins; a single compromised theme can propagate the malicious loader across dozens of installations.
Expert reactions
- QiAnXin XLab – “We are seeing at least two distinct threat clusters using the same injection technique. The speed of deployment suggests automated tooling built around the Ghost admin API.”
- Brian Kelley, senior analyst at Mandiant, notes that “ClickFix attacks are a clever evolution of classic CAPTCHA‑bypass scams. By leveraging a trusted CMS, the attackers bypass many traditional web‑filtering defenses.”
- Anthropic’s Claude – The AI model that originally identified the SQL injection flagged the query pattern as "high‑risk for privilege escalation" during its internal code‑review scans.
Immediate mitigation steps
- Upgrade Ghost – Move all instances to v6.19.1 or later, which patches CVE‑2026‑26980. The release notes are available on the official Ghost changelog.
- Rotate admin API keys – Regenerate keys from the Ghost admin UI and invalidate any previously issued tokens.
- Audit content – Scan the database for unexpected
<script>tags at the end of posts. Tools like grep or the Ghost CLI (ghost content:list) can help locate injected snippets. - Review logs – Look for abnormal API calls to
/admin/posts/or bulk‑update endpoints. The presence of theX‑Ghost‑API‑Keyheader from unknown IP ranges is a red flag. - Apply WAF rules – Block suspicious SQL‑injection payloads targeting
/ghost/api/v3/content/and enforce rate‑limiting on the Content API. - Notify users – If you suspect visitors may have interacted with the fake CAPTCHA, advise them to run a reputable anti‑malware scan and avoid executing unknown commands.
Long‑term hardening recommendations
- Separate API keys – Use distinct keys for content publishing and administrative tasks; limit the latter to internal IP ranges.
- Content‑security‑policy (CSP) – Deploy a strict CSP that disallows inline scripts and only permits scripts from trusted origins.
- Zero‑trust CI/CD – Validate all theme and plugin updates with signed packages and automated security scans before deployment.
- Monitoring – Integrate Ghost logs with a SIEM and enable alerts for bulk content modifications.
The Ghost CMS incident underscores how a single API credential can become a powerful foothold for attackers. By moving quickly to patch, rotate keys and clean compromised content, site operators can stop the current ClickFix wave and reduce the attack surface for future exploits.
Stay informed on emerging threats and best‑practice hardening guides by following our security newsletter.
Comments
Please log in or register to join the discussion