Ghost CMS SQL injection weaponised in coordinated ClickFix distribution campaign
Attackers are exploiting a critical SQL injection flaw (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript that delivers ClickFix social engineering attacks at scale. This combines server-side code execution with client-side manipulation, significantly amplifying attack reach.
CVE References
Affected
A large-scale campaign is actively exploiting CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to inject malicious JavaScript payloads into legitimate websites. Rather than pursuing traditional post-exploitation goals like data exfiltration, the attackers are weaponising the compromised sites as distribution nodes for ClickFix attacks, a social engineering technique that tricks users into performing actions that compromise their systems.
The technical chain here is particularly dangerous: SQL injection typically allows database query manipulation, but injecting JavaScript through a CMS database suggests either direct storage of executable code in database fields that are later rendered unsanitised in the frontend, or exploitation of template rendering mechanisms. This indicates either inadequate input validation at the database layer or unsafe deserialisation of stored content. The attackers are leveraging the trust users place in legitimate websites to lower their guard before ClickFix prompts appear.
Ghost CMS instances are commonly used by publishers, technology companies, and security-conscious organisations, making compromised sites potentially high-value distribution points. A single injection could affect thousands of visitors across multiple domains if the vulnerability exists in shared hosting or multi-tenant deployments. The breadth of this campaign suggests coordinated reconnaissance and exploitation infrastructure, not opportunistic scanning.
Defenders operating Ghost CMS must apply patches immediately and audit web application firewalls for SQL injection patterns. Content security policy headers should block inline script execution to mitigate stored XSS risks. Website operators should monitor database logs for suspicious queries and check for modified template files or unexpected JavaScript inclusions. End users should treat ClickFix prompts with extreme scepticism, particularly those appearing during routine browsing.
This campaign demonstrates a shift in vulnerability monetisation: rather than extracting data or installing persistent backdoors, attackers are renting compromised sites as temporary malware distribution infrastructure. This is more evasive than traditional malware hosting because legitimate site visitors are less likely to report the attack, and defenders may not detect the injection if monitoring focuses solely on server-side behaviour rather than content integrity.
Sources