The critical vulnerability CVE-2026-26980 (CVSS 9.4) in the Ghost CMS platform is being actively exploited by attackers to mass-inject malicious JavaScript code into posts on compromised sites. According to QiAnXin XLab researchers, the campaign discovered on May 7, 2026 has affected more than 700 websites in the education, blockchain, artificial intelligence, SaaS, media and financial technology sectors. The ultimate goal is to deliver malware via ClickFix attacks using fake CAPTCHA pages. The vulnerability was fixed in version 6.19.1 back in February 2026 — Ghost CMS administrators need to update immediately and audit their installations.
Technical nature of the vulnerability
CVE-2026-26980 is an SQL injection vulnerability in the Content API of the Ghost platform. According to the official security advisory, the vulnerability allows an unauthenticated attacker to read arbitrary data from the database. The CVSS score of 9.4 reflects a critical severity level.
What makes the vulnerability particularly severe is that it allows an attacker to extract the site’s Admin API key without any authentication. This key provides full access to the Ghost Admin API, including the ability to programmatically modify published posts. This is exactly the vector used in the current campaign: attackers are mass-modifying content, injecting malicious JavaScript loaders at the end of pages.
Notably, the vulnerability was discovered by Anthropic using the Claude AI model. A fix was released in Ghost version 6.19.1 in February 2026.
Attack mechanics: from injection to full control
According to the QiAnXin XLab report, the attack is carried out through a multi-stage delivery chain:
Stage 1 — CMS compromise. The attacker exploits CVE-2026-26980 to extract the Admin API key from the database. Then, via the Admin API, they mass-modify posts, appending a malicious JavaScript loader to the end of each page.
Stage 2 — Two-stage loader. The injected JavaScript acts as a first-stage loader that contacts an external server to fetch the main payload at runtime. This architecture lets attackers flexibly change the delivered content while keeping the loader unchanged across hundreds of compromised sites.
Stage 3 — Cloaking via Adspect. According to reports, a server-side PHP script uses the commercial Adspect cloaking service. The script collects browser fingerprints from visitors, sends them to the command server and performs actions based on the instructions it receives — redirects, pop-ups, downloads. The script is believed to support 19 different commands for executing arbitrary JavaScript and remotely controlling the victim’s browser. Security scanners and search engine crawlers see only a benign page.
Stage 4 — ClickFix attack. Targeted visitors are shown a fake CAPTCHA page inside an iframe element. The victim is prompted to “confirm you’re human” by copying and pasting a Base64-encoded command into the Windows Run dialog. This command starts the delivery chain: downloading a ZIP archive, extracting and executing a Windows batch script, which in turn uses PowerShell to download a DLL file from a remote server and run it via rundll32.exe. At the same time, a decoy web page is opened.
Payload evolution
Researchers observed that in later iterations of the campaign, the DLL file was replaced with a JavaScript payload. Regardless of the delivery type, the ultimate goal is to install a Windows executable:
- In the DLL variant, a PuTTY client with a valid code-signing certificate is delivered
- In the JavaScript variant, an Inno Setup installer for an Electron application is deployed
The Electron application is reportedly a modified version of the open-source Grape desktop client. The modification ensures persistence in the system and polls the command server every 30 seconds for instructions, including executing JavaScript code or binaries.
Indicators of compromise
Based on the research data, the following indicators were identified:
- Domains:
clo4shara[.]xyz,web-telegram[.]ug
Scope and impact assessment
According to QiAnXin XLab’s assessment, the campaign has affected more than 700 websites. Among the compromised resources are sites of universities and companies in the blockchain, AI, SaaS, information security, media and financial technology sectors. Using legitimate, trusted sites as an attack platform significantly increases the success rate of ClickFix attacks: visitors to such resources do not expect to encounter malicious content.
It should be noted that the scale estimate is based on data from a single research source and has not yet been independently confirmed by the Ghost vendor or government cybersecurity agencies. Nevertheless, the criticality of the vulnerability itself (CVSS 9.4) and the ease of exploitation — no authentication required, via the public Content API — make large-scale exploitation a very realistic scenario.
In some cases, according to the researchers, malicious code was injected into sites within the span of a single day, indicating a high degree of attack automation.
Response recommendations
Ghost CMS administrators should immediately take the following steps:
- Update Ghost to version 6.19.1 or higher — the vulnerability is fixed in this release
- Rotate all credentials, including Admin API and Content API keys, database passwords and administrator accounts
- Audit content — check all published posts for unauthorized JavaScript snippets, especially at the end of pages
- Review access logs for suspicious requests to the Content API and Admin API, particularly mass edit operations
- Block identified indicators of compromise at the network and WAF level
- Notify users who may have visited the site during the compromise period about the potential risk
Given that exploitation does not require authentication and allows full control over published content via the Admin API, the update priority is maximum. Every unpatched Ghost CMS instance with an internet-accessible Content API is a potential target. If an immediate update is not possible, at the very least restrict external access to the API via network rules and review the current site content for unauthorized changes.
