More than 700 websites running Ghost Content Management System have been compromised through a critical SQL injection vulnerability, turning trusted domains into malware distribution platforms. Attackers exploited CVE-2026-26980 to steal administrative credentials and inject malicious code that presents visitors with fake security verification prompts. The compromised sites include universities and technology companies whose legitimate reputations are now being weaponized in a widespread ClickFix social engineering campaign.
The vulnerability affects Ghost CMS versions 3.24.0 through 6.19.0 and requires no authentication to exploit. Attackers can directly access database contents through the flaw in Ghost's Content API, including Admin API keys that grant full control over website content. Once these keys are stolen, threat actors can edit posts, inject scripts, modify themes, and manipulate any user-facing content without detection.
The injected malicious JavaScript loads a second-stage attack that displays convincing fake Cloudflare or CAPTCHA verification dialogs to website visitors. Instead of a standard checkbox, these prompts instruct users to copy and paste commands into Windows Run dialog or PowerShell. The commands appear as routine technical steps framed as connection fixes or human verification, but actually install malware when executed. The attack is particularly effective because it appears on already-trusted websites, bypassing normal user skepticism.
The campaign demonstrates how compromised legitimate infrastructure can amplify social engineering attacks. Users visiting familiar websites from reputable organizations have no reason to suspect the verification prompts are malicious. Attackers exploit this trust while using urgency tactics like countdowns and fake user counters to pressure visitors into acting quickly without critical evaluation. The technique has proven effective enough that security researchers expect ClickFix attacks to continue proliferating.
Website administrators running Ghost CMS should immediately update to the patched version to prevent exploitation and review their sites for unauthorized modifications. Users should adopt defensive browsing habits: never copy and paste commands from websites without verification, manually type any necessary commands to avoid hidden clipboard payloads, and maintain updated anti-malware solutions with web protection capabilities. Organizations should educate staff and users about ClickFix techniques, emphasizing that legitimate services never require users to run manual commands for basic verification tasks.
Source: https://www.malwarebytes.com/blog/bugs/2026/05/700-education-and-tech-websites-hijacked-in-huge-clickfix-malware-campaign