Ghost CMS flaw hijacked to target hundreds of websites with ClickFix attacks — here's how to stay safe

News
By published

A critical-level flaw in a popular CMS is being leveraged

Female hands typing on a laptop in neon light. A lock as a symbol of cybersecurity on a foreground.
(Image credit: Getty Images/Tatiana Maksimova)
  • Researchers warn CVE‑2026‑26980, a critical SQL injection flaw in Ghost CMS (score 9.4), is being exploited in a large ClickFix campaign
  • Over 700 domains, including Harvard, Oxford, DuckDuckGo, and major AI/SaaS firms, were compromised to deliver malware via DLL loaders, JS droppers, and Electron‑based payloads
  • Admins should urgently upgrade to Ghost 6.19.1 or later and monitor 30‑day admin API logs to detect potential compromise

A critical-severity vulnerability that reportedly was patched three months ago is being exploited in a massive ClickFix campaign, researchers have claimed.

In mid-February 2026, a critical SQL injection vulnerability was found in Ghost CMS, a popular open-source Content Management System (CMS) currently used by more than 57,000 websites, including the likes of 404 Media, The Canadian government, and Duolingo.

The flaw, tracked as CVE-2026-26980 and affecting Ghost 3.24.0 through 6.19.0, was assigned a severity score of 9.4/10 (critical), as it potentially allows unauthenticated attackers to perform arbitrary reads from the database, which grants management access to users, articles, themes, as well as article pages.

Latest Videos From

Deploying various malware

However, many users most likely did not patch, as Chinese cybersecurity firm Qianxin claims more than 700 domains were compromised to serve ClickFix attack flows.

Among them are Harvard University, Oxford University, Auburn University, DuckDuckGo, and many AI/SaaS company sites, media outlets, fintech firms, and others.

ClickFix is a type of scam in which attackers tell the victims they have a problem (which they don’t) and then provide the solution (which it really isn’t). The “solution”, however, just deploys a piece of malware, and depending on the attackers and the targets, it can vary from classic backdoors to ransomware encryptors.

In this campaign, the researchers saw DLL loaders, JavaScript droppers, and a generic Electron-based malware being distributed.

The best way to mitigate the threat is to simply upgrade the Ghost CMS either to version 6.19.1, or whatever the latest version is at the moment. Website owners are also advised to keep a 30-day record of admin API call logs, just to keep track of potential compromise.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.