- Researchers warn that CVE-2026-26980, a critical SQL injection flaw in Ghost CMS (score 9.4), is being exploited in a large ClickFix campaign
- Over 700 domains, including Harvard, Oxford, DuckDuckGo, and major AI/SaaS companies, were compromised to deliver malware via DLL loaders, JS droppers, and electron-based payloads
- Administrators should immediately upgrade to Ghost 6.19.1 or later and monitor 30-day admin API logs to detect potential compromise
A Critical Severity vulnerability that was reportedly patched three months ago is being exploited in a massive ClickFix campaign, researchers have claimed.
In mid-February 2026, a critical SQL injection vulnerability was found in Ghost CMS, a popular open source Content Management System (CMS) currently used by more than 57,000 websites, including 404 Media, the Canadian government, and Duolingo.
The flaw, tracked as CVE-2026-26980 and affecting Ghost 3.24.0 through 6.19.0, was assigned a severity score of 9.4/10 (Critical) as it potentially allows unauthorized attackers to perform arbitrary reads from the database that provide administrative access to pages, articles, and articles.
Implementation of various malware
However, many users most likely haven’t patched, as Chinese cybersecurity firm Qianxin claims that more than 700 domains were compromised to serve ClickFix attack flows.
Among them are Harvard University, Oxford University, Auburn University, DuckDuckGo and many AI/SaaS enterprise websites, media, fintech companies and others.
ClickFix is a type of scam where attackers tell victims they have a problem (which they don’t) and then provide the solution (which they really don’t). However, the “solution” just deploys a piece of malware, and depending on the attackers and the targets, it can vary from classic backdoors to ransomware encryptions.
In this campaign, the researchers saw DLL loaders, JavaScript droppers, and a generic Electron-based malware being distributed.
The best way to mitigate the threat is to simply upgrade Ghost CMS to either version 6.19.1 or whatever the latest version is currently. Site owners are also advised to keep a 30-day record of admin API call logs, just to keep track of potential compromises.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
