Threat actors took advantage of a critical SQL injection vulnerability present in Ghost CMS to insert malicious Javascript code into ClickFix campaigns launched against unsuspecting website visitors.
The Ghost CMS SQL injection ClickFix attacks are being driven by exploitation of a recently discovered SQL injection vulnerability associated with CVE-2026-26980 (CVSS score of 9.4) that was patched with Ghost 6.19.1 (February 2026).
Anthropic discovered this vulnerability using Claude, allowing unauthenticated attackers access to read arbitrary data stored within the database (including sensitive API keys).
How does the Attack Work
The Ghost CMS SQL Injection ClickFix attacks start by exploiting the SQL injection vulnerability within the Ghost CMS Content API. The exploitation of an SQL injection vulnerability gives attackers unauthorized access to an Admin API Key of a site allowing them to call the Admin API directly and change articles in the content management system.
Once the attacker has the admin API key, they can tamper with articles in bulk, and they inject malicious JavaScript loaders at the bottom of the pages to assist fake CAPTCHA attacks.
The Ghost CMS SQL injection ClickFix attacks have compromised more than 700 websites including universities, blockchain platforms, artificial intelligence companies, software-as-a-service providers, security research firms, media outlets, and financial technology sectors.
The Two-Stage Loader
The injected JavaScript code at the bottom of an article functions as a two-stage loader, and it retrieves the main payload at runtime from an external domain at clo4shara[.]xyz/11z77u3.php.
This architecture offers added flexibility because it enables the threat actor to swap out the payloads based on different criteria, while keeping the loader functionality intact across several compromised sites.
The Ghost CMS SQL injection ClickFix attacks use this modular approach to adapt their behavior depending on the victim's browser fingerprint.
The Cloaking Script
Directly accessing clo4shara[.]xyz/11z77u3.php reveals a piece of code that is actually a typical traffic distribution script, and its core function is to collect various fingerprint information from the user's browser and upload it to the server.
The script then performs actions such as redirection, popups, and downloads based on the returned instructions, and the Ghost CMS SQL injection ClickFix attacks use Adspect which is a commercial cloaking service.
The idea behind using the cloaking script is to ensure that only real victims are served the actual payload, while security scanners and crawlers will only see a benign web page.
The script supports 19 different commands to run arbitrary JavaScript code and facilitate remote control of the victim's browser.
The ClickFix Attack
Site visitors deemed as intended targets are ultimately served a fake CAPTCHA verification page within an iframe HTML element to prove they are human, and this triggers a ClickFix attack.
The Ghost CMS SQL injection ClickFix attacks instruct victims to copy and paste a Base64-encoded command into the Windows Run dialog, and this command serves as a dropper for delivering a ZIP archive.
The ZIP archive contains a Windows batch script which executes a PowerShell command to download a DLL file from a remote domain, and it launches the DLL using rundll32.exe, and it opens a bogus web page to the user as a distraction.
The Payload Evolution
Subsequent iterations of the Ghost CMS SQL injection ClickFix attacks have replaced the DLL with a JavaScript payload.
Regardless of the type of the payload, the end goal of the attack is to drop a Windows executable.
When the DLL payload is used, the executable is a PuTTY client with a valid code-signing certificate, and this legitimate certificate helps the malware evade detection.
When the JavaScript payload is used, the binary is an Inno Setup installer for an Electron application.
The Grape Desktop Client Backdoor
The Electron application delivered by the Ghost CMS SQL injection ClickFix attacks is a modified version of the open-source Grape desktop client.
The modified Grape client is designed to achieve persistence on the victim's machine, and it polls a remote server at web-telegram[.]ug every 30 seconds to process instructions issued by the attacker.
A backdoor will let the attacker make the Java code and executable files run for him on demand, allowing the attacker a way to have a permanent remote access point into the targeted compromised system.
Scope of Campaign
As of now, it has been confirmed that there are three distinct clusters associated with the Campaign of targeted attacks against the Ghost Content Management System (CMS) via SQL Injection attacks through ClickFix, which were discovered on May 7th, 2026.
In a few instances, attackers were able to change the code on sites in less than one day, and the ClickFix campaign has already compromised over 700 sites across multiple industries.
Due to the fact that legitimate sites have been compromised, ClickFix's attacks may have a higher chance of success because their victims would be more apt to trust a malicious site that has been compromised than they would a random malicious site.
The Adspect Cloaking Service
The Ghost CMS SQL injection ClickFix attacks use Adspect which is a commercial cloaking service, and cloaking services are designed to show different content to different visitors based on their fingerprint.
Security researchers and automated scanners see a benign web page, and real victims see the malicious fake CAPTCHA.
This evasion technique makes the Ghost CMS SQL injection ClickFix attacks difficult to detect with automated security tools, and the attackers can change their payloads without changing the loader.
Who Is in Danger
ClickFix Ghost CMS SQL injection compromise attacks is affecting many different types of websites.
Examples of site types that could be impacted (and target the users) include:
1. Universities (students and faculty)
2. Blockchain / cryptocurrency (users' crypto wallets)
3. AI companies (employees credential theft)
4. SaaS (users could be directed to fake CAPTCHA pages)
5. Security research companies (ironically) are also included
6. Media (readers can get malware now)
7. Fintech (users' financial data is vulnerable)
How to Protect Your Ghost CMS Site
The Ghost CMS SQL injection ClickFix attacks are active, here is what you need to do:
1. It is crucial to upgrade Ghost CMS right away. The SQL injection ClickFix attacks were able to take advantage of a vulnerability that was corrected in later versions, starting with version 6.19.1 and higher.
2. It is necessary to rotate all passwords and access tokens associated with your Ghost CMS. If your site has been hacked or compromised during this time, you need to change your admin API keys, database passwords and any other stored credentials in Ghost CMS.
3. All articles should be checked for any JavaScript code that may have been injected into the bottom of each article. You must remove any suspicious code from all of your articles.
4. Please check your Ghost CMS server's access log files for any unauthorized API access or any suspicious changes that may exist in the Ghost CMS access log files. The SQL injection ClickFix attacks should create clues in these files.
5. You should inform your users if you were hacked or compromised during this time. Users should also be advised to run a virus scan on their systems to look for malware that could have been placed on their computer during the time period when your site was infected.
The ClickFix Threat
Ghost CMS SQL injection ClickFix attacks are one instance of a larger trend called ClickFix campaigns.
ClickFix attacks manipulate an individual into pasting malicious commands onto their machines, while they think that they are either completing a CAPTCHA or fixing an issue with both businesses.
Ghost CMS SQL injection ClickFix attacks demonstrate that even legitimate web pages can be turned into weapons for distributing malware, and that individuals should not trust a site simply because it has a positive reputation.
Final Thoughts
The Ghost CMS SQL injection ClickFix attacks are a reminder that content management system vulnerabilities have real-world consequences.
A SQL injection flaw in Ghost CMS allowed attackers to steal admin API keys, and those keys were used to inject malicious code into 700+ legitimate websites, and those websites are now distributing malware to their own visitors.
If you run a Ghost CMS site, check your version today, update to 6.19.1 or later, rotate your credentials, and audit your content.
If you are a user, be cautious when visiting any website, and never copy and paste commands from a website into your Run dialog, because the next fake CAPTCHA could be coming from a site you trust.
FAQ Section
Can you tell me what CVE-2026-26980 is?
CVE-2026-26980 is a SQL injection vulnerability that exists in Ghost CMS' Content API; CVE-2026-26980 has received a CVSS of 9.4. This vulnerability could allow an unauthenticated attacker to read arbitrary data from the database, including admin API keys.
What is the impact of the Ghost CMS SQL Injection ClickFix attacks?
The Ghost CMS SQL Injection ClickFix attacks have impacted over 700 university, blockchain, AI, SaaS, security research, media and finance sector websites.
What does a ClickFix Attack consist of?
A ClickFix Attack is conducted by convincing the victim to copy and paste a Base64 encoded command into the Windows Run dialog, which will download and execute malcode, while the victim thinks they are completing a CAPTCHA.
What types of malware are delivered by this campaign (the GhostCMS SQL injection Clickfix attacks)?
The attacks deliver a validly code-signed PuTTY client (SSH client) or modified Grape desktop (admin panel) which polls an attacker controlled C2 site every 30 seconds for commands.
How do I protect my Ghost CMS site from being vulnerable to this type of attack?
Upgrade your Ghost site to version 6.19.1 or newer; rotate all admin API keys and credentials; check your articles for injected javascript; and check the logs on your site for unauthorized changes.
