Ghost CMS Vulnerability Exploited: 700+ Websites Hit by ClickFix Malware

In a striking development that highlights the fragile nature of trust on the modern web, security researchers have issued urgent warnings regarding a massive, highly automated cyberattack campaign. Over the last several weeks, threat actors have exploited a critical, unauthenticated Ghost CMS vulnerability to compromise more than 700 legitimate websites worldwide. High-profile victims of this campaign include prestigious academic portals like Harvard University, Oxford University, and Auburn University, alongside privacy-centric search platform DuckDuckGo and various software-as-a-service (SaaS) and fintech portals. Rather than defacing these sites or stealing proprietary enterprise database contents, the attackers have silently turned them into watering holes, weaponizing their high domain reputation to serve deceptive “ClickFix” social engineering prompts to unsuspecting visitors. The end goal of this elaborate operation is the silent delivery of severe information-stealing malware directly to end-user endpoints, bypassing traditional perimeter defenses and endpoint protection suites.

Understanding CVE-2026-26980: Technical Anatomy of the Ghost CMS Vulnerability

To understand the sheer scale of the compromise, we must first look at the underlying security flaw. Tracked as CVE-2026-26980, this high-risk vulnerability is a classic unauthenticated SQL injection carrying a CVSS v3.x score of 9.4 (and up to 9.5 on alternative evaluation scales). Discovered by security researcher Nicholas Carlini utilizing Anthropic’s Claude AI assistant, the vulnerability was responsibly disclosed and officially patched by the Ghost Foundation on February 19, 2026, with the release of version 6.19.1. Despite the availability of this security patch for over three months, hundreds of public-facing Ghost deployments remain unpatched, providing a fertile hunting ground for opportunistic threat groups.

The technical root cause of the flaw resides within the Ghost Content API—specifically in the input serializer module responsible for ordering content filtering by slug: ghost/core/core/server/api/endpoints/utils/serializers/input/utils/slug-filter-order.js. The vulnerable helper function, slugFilterOrder(table, filter), was designed to parse array expressions such as slug:[tag-a,tag-b] inside the Ghost Query Language (NQL) filter to ensure that posts are returned matching the requested order. However, the implementation directly interpolated user-supplied slug values into a raw SQL CASE WHEN statement without parameterization:

// Vulnerable Code block before Ghost v6.19.1
order += `WHEN \`${table}\`.\`slug\` = '${slug}' THEN ${index} `;

Although Ghost’s query language, NQL, features general input validation designed to block typical injection symbols like spaces and unescaped single quotes, researchers discovered a critical bypass. NQL accepts single-quote-wrapped values within array notation—for instance, slug:['value']—and passes the quotes through as a literal. The regex in the slug filter ordering utility subsequently extracts these literal values, quotes included, and concatenates them directly into the SQL query string. By sending a crafted filter payload such as slug:['||CASE WHEN 1=1 THEN 0 ELSE EXP(710) END||',news], unauthenticated attackers can break out of the string boundary and execute arbitrary blind SQL commands against the backend database.

Crucially, this exploit does not require administrative or user credentials. Ghost’s public Content API (located at endpoints like /ghost/api/content/posts/) relies on public Content API keys. These keys are embedded directly in the HTML template or theme scripts of any public Ghost site so that client-side scripts can dynamically fetch content. Because these keys are public by design, any external threat actor can query the vulnerable endpoint, turning the Ghost CMS vulnerability into a highly reliable, zero-authentication remote access vector.

From Database Dump to Site Poisoning: The Admin API Takeover

Once attackers successfully exploit CVE-2026-26980, they do not simply read static posts. Instead, they leverage the blind SQL injection to systematically exfiltrate sensitive data from the database. Their primary target is the Ghost database’s internal tables hosting administrative metadata, specifically the Admin API Keys. Unlike temporary session tokens or hashed passwords, these administrative keys are long-lived, high-privilege credentials that grant full programmatical access to the CMS’s backend management functions.

Equipped with a compromised Admin API key, the threat actors initiate a fully automated post-exploitation phase. They programmatically interface with the Ghost Admin API (such as the /ghost/api/admin/posts/ endpoints). Because the Admin API accepts these API keys directly in the HTTP Authorization headers, the attackers bypass all authentication mechanisms