- A critical SQL injection flaw (CVE-2026-26980) in Ghost CMS is being actively exploited to hijack website articles.
- Attackers have compromised over 700 legitimate websites across sectors including blockchain, AI, and fintech to fuel ClickFix malware campaigns.
- The attacks inject a two-stage JavaScript loader that deploys a cloaking script and a fake CAPTCHA page to trick victims into running malicious commands.
- The end goal is to install a modified version of the open-source Grape desktop client for persistent remote control.
Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks, according to a report from QiAnXin XLab. The campaign, first detected on May 7, 2026, has resulted in the large-scale poisoning of legitimate websites.
The vulnerability, CVE-2026-26980, is an SQL injection flaw in Ghost’s Content API with a CVSS score of 9.4. This flaw allows unauthenticated attackers to read arbitrary data and obtain a site’s admin API key without authorization. Consequently, attackers can tamper with articles in bulk by injecting malicious code.
More than 700 websites across universities, blockchain, artificial intelligence, and financial technology sectors have been compromised. XLab said the use of legitimate sites increases the success rate of the subsequent attacks.
The injected code functions as a two-stage loader that retrieves a main payload from an external domain. This payload is a traffic distribution script powered by the commercial cloaking service Adspect, which collects browser fingerprints and serves malicious content only to intended victims. Visitors deemed as targets are shown a fake CAPTCHA verification page within an iframe.
This fake page triggers a ClickFix attack, instructing users to paste a Base64-encoded command into the Windows Run dialog. The command acts as a dropper, ultimately delivering a modified version of the open-source Grape desktop client. This application achieves persistence and polls a remote server every 30 seconds to execute attacker commands.
Ghost CMS users are urged to upgrade to version 6.19.1 or later, rotate all credentials, and audit access logs for suspicious activity. Meanwhile, they should notify users who visited during the contamination period of potential compromise.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
