Ghost CMS Flaw Hijacks 700+ Sites for ClickFix Attacks

Hundreds of websites running the Ghost content management system have fallen victim to a nasty vulnerability, allowing attackers to inject malicious code and hijack traffic. The flaw, identified as CVE-2026-26980, is an SQL injection vulnerability that has seen widespread exploitation, affecting more than 700 sites since its discovery.

The cybersecurity researchers at QiAnXin XLab were the ones who first spotted this activity. They report that threat actors are actively using this critical flaw, which carries a CVSS score of 9.4 – that's near the top of the severity scale. For anyone running Ghost, this isn't just a theoretical threat; it's a real and present danger.

The Anatomy of a ClickFix Attack

So, what's happening? Once an attacker exploits CVE-2026-26980, they gain the ability to inject malicious JavaScript directly into a compromised Ghost site. This isn't subtle. The injected script then redirects visitors through a series of fake CAPTCHA pages. You know the drill: click on all the squares with traffic lights or crosswalks. Except here, it’s all a ruse.

This elaborate setup is designed to fuel what's known as ClickFix attacks. Essentially, it manipulates user interactions, often leading to ad fraud or driving traffic to specific, often unwanted, destinations. Think of it as a sophisticated click farm, but using legitimate websites as unwilling accomplices. The sheer scale, with over 700 sites already compromised, suggests a well-organized campaign rather than opportunistic probing.

Why This Matters for Ghost Users

Ghost, often chosen by professional publishers, bloggers, and newsletter creators for its lean design and focus on content, is usually considered a secure platform. This incident is a sharp reminder that even streamlined systems aren't immune to fundamental vulnerabilities like SQL injection. It's a classic attack vector, yet it remains incredibly effective when not properly defended.

For administrators of Ghost instances, the message is clear: patch immediately. If you haven't already, check your system for any signs of compromise. Given the active exploitation reported on May 25, 2026, time is of the essence. We've seen similar widespread attacks on other CMS platforms in the past, and swift action is always the best defense. This isn't just about protecting your site's integrity; it's about protecting your readers from being unwittingly funneled into these malicious click schemes.