Ghost CMS SQLi (CVE-2026-26980) hijacks 700+ sites — Harvard, Oxford, DuckDuckGo serve ClickFix

A large-scale campaign is mass-exploiting CVE-2026-26980, an unauthenticated SQL injection in Ghost CMS Content API, to plant a ClickFix lure on more than 700 websites. XLab at Qianxin, which surfaced the campaign, lists Harvard, Oxford, Auburn, and DuckDuckGo among the compromised domains.

The CVE is rated 9.4 Critical. Patched in Ghost 6.19.1. Every prior 3.24.0 → 6.19.0 release is vulnerable.

What the bug does

The Content API exposes a slug filter (slug:[a,b,c]) parsed by Ghost's NQL query language. Ghost builds an ORDER BY CASE WHEN … END fragment by concatenating attacker-controlled slug values directly into a raw SQL string — no parameter binding, no escaping. An unauthenticated GET to the public Content API is enough to read any row in the database, including the Ghost Admin API key.

With the admin key in hand, the attacker calls the Admin API and edits published posts to inject JavaScript. From there, the site itself becomes the dropper.

Affected versions

• Ghost CMS >= 3.24.0 and < 6.19.1.
• Both self-hosted and any unmanaged deployment running an older release.
• Ghost(Pro) customers were updated by the vendor.

Fixed in 6.19.1. The patch parameterizes the slug fragment and removes the raw string concatenation.

Exploitation status

XLab tracks at least two distinct threat clusters running the campaign, some implanting victim sites within a single day of exploitation. Sector spread is broad: universities, AI/SaaS, fintech, media, and security-research blogs. The injected loader fingerprints visitors before delivering the payload, then renders a fake Cloudflare verification iframe over the article. The lure asks the visitor to paste a Base64-encoded command into the Windows Run dialog — the standard ClickFix social-engineering chain that ends in malware execution under the user's account.

A public exploit is on GitHub. Treat the flaw as opportunistically scanned.

Action checklist

1. Upgrade to Ghost 6.19.1 today. Self-hosters on 5.x or older 6.x branches need to plan a real upgrade — Ghost does not back-port fixes far.
2. Rotate every secret stored in the database. The Admin API key is the headline target, but assume the database is fully readable: rotate API keys, integration tokens, mail credentials, OAuth secrets, and any custom user records.
3. Audit published content for injected scripts. Search posts and pages for unexpected <script> tags, especially those loading from external domains. Diff against your last known-good content backup.
4. Inspect access logs. Look for GET /ghost/api/content/posts/?filter=slug: requests with unusual slug payloads in the last 60 days, and Admin API calls (/ghost/api/admin/) from IPs you don't recognize.
5. Notify readers if you served the ClickFix lure. Visitors who pasted the command should be told to assume their machine is compromised.

Context

Ghost runs most of the world's small, single-author publishers and a meaningful slice of corporate marketing sites. The campaign demonstrates the familiar pattern: a critical CMS bug → admin credential exposure → silent content modification → drive-by social engineering at the reader. The novelty here is the choice of payload — ClickFix has displaced classic exploit-kit redirects as the favored browser-to-endpoint pivot, because it bypasses every browser sandbox by asking the user to execute the code themselves.

Ghost shipped the fix quickly, but the long tail of unmanaged installs will keep this CVE on KEV-track lists for months. If you operate a Ghost site you haven't touched in a year, you almost certainly need to assume it's already in the corpus.

Sources: BleepingComputer, The Hacker News, XLab research.