Ghost CMS SQL injection exploited in widespread ClickFix attacks

▼ Summary
– Attackers are exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript.
– The injected JavaScript triggers ClickFix attack flows as part of a large-scale campaign.
A widespread threat campaign is actively targeting a critical SQL injection vulnerability in Ghost CMS, tracked as CVE-2026-26980. Attackers are exploiting this flaw to inject malicious JavaScript, which then initiates a ClickFix attack chain designed to compromise site visitors and steal sensitive data.
The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries against the Ghost CMS database. By exploiting this weakness, threat actors are embedding harmful scripts into legitimate pages. When users visit an infected site, they encounter a fake error message or a deceptive prompt, instructing them to “click to fix” the issue. This click, however, triggers a multi-stage infection process that can lead to credential theft, malware deployment, or unauthorized access to the victim’s system.
Security researchers have observed a significant uptick in exploitation attempts since the disclosure of CVE-2026-26980. The campaign appears to be automated and targets a broad range of Ghost instances, regardless of their size or traffic volume. The injected JavaScript is often obfuscated to evade detection, making it harder for site administrators and security tools to identify the compromise.
Ghost CMS users are strongly urged to apply the latest security patches immediately. The vulnerability affects versions prior to the most recent update, and unpatched sites remain highly exposed. Additionally, website owners should monitor their databases for unauthorized changes, review server logs for suspicious SQL queries, and consider implementing a web application firewall (WAF) to block common injection patterns. For end users, exercising caution when encountering unexpected pop-ups or “fix” prompts on any website is essential to avoid falling victim to this evolving threat.
(Source: BleepingComputer)




