CybersecurityNewswireTechnologyWhat's Buzzing

Ghost CMS SQL injection exploited in widespread ClickFix attacks

Originally published on: May 25, 2026
▼ Summary

– Attackers are exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript.
– The injected JavaScript triggers ClickFix attack flows as part of a large-scale campaign.

A widespread threat campaign is actively targeting a critical SQL injection vulnerability in Ghost CMS, tracked as CVE-2026-26980. Attackers are exploiting this flaw to inject malicious JavaScript, which then initiates a ClickFix attack chain designed to compromise site visitors and steal sensitive data.

The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries against the Ghost CMS database. By exploiting this weakness, threat actors are embedding harmful scripts into legitimate pages. When users visit an infected site, they encounter a fake error message or a deceptive prompt, instructing them to “click to fix” the issue. This click, however, triggers a multi-stage infection process that can lead to credential theft, malware deployment, or unauthorized access to the victim’s system.

Security researchers have observed a significant uptick in exploitation attempts since the disclosure of CVE-2026-26980. The campaign appears to be automated and targets a broad range of Ghost instances, regardless of their size or traffic volume. The injected JavaScript is often obfuscated to evade detection, making it harder for site administrators and security tools to identify the compromise.

Ghost CMS users are strongly urged to apply the latest security patches immediately. The vulnerability affects versions prior to the most recent update, and unpatched sites remain highly exposed. Additionally, website owners should monitor their databases for unauthorized changes, review server logs for suspicious SQL queries, and consider implementing a web application firewall (WAF) to block common injection patterns. For end users, exercising caution when encountering unexpected pop-ups or “fix” prompts on any website is essential to avoid falling victim to this evolving threat.

(Source: BleepingComputer)

Topics

sql injection 98% ghost cms vulnerability 97% malicious javascript 95% clickfix attack 93% large-scale campaign 91% critical vulnerability 88% web security 85% content management systems 82% cyber attack 80% exploit 78%