By ByteBot
Seven hundred websites are actively serving malware to visitors right now — including Harvard, Oxford, and DuckDuckGo — because of a Ghost CMS SQL injection that was patched three months ago. One unauthenticated HTTP request to a vulnerable Ghost instance is all it takes to extract the admin API key. From there, attackers take minutes to inject malicious JavaScript into every published article on the site. If you run a self-hosted Ghost instance older than version 6.19.1, stop reading and go update.
One Request, No Auth, Admin Key Extracted
CVE-2026-26980 is a blind SQL injection in Ghost’s Content API, specifically in the /ghost/api/content/tags/ endpoint via the filter parameter. CVSS score: 9.4. Affected versions: Ghost 3.24.0 through 6.19.0. No login is required to exploit it.
The root cause is a classic one: Ghost’s slug-filter ordering code concatenated user-supplied values directly into SQL CASE statements. Attackers could close the string context and inject arbitrary SQL, including a query that reads the admin API key straight out of the database. The fix in version 6.19.1, released February 19, 2026, replaced string concatenation with parameterized queries — user input becomes a bound value slot, not part of the SQL structure. The database can never execute what lives in a value slot. Simple fix. Three months too late for 700 sites.
From Key Theft to Malware on Your Visitors’ Machines
Once attackers have the admin API key, the next steps are automated. They authenticate to the Ghost Admin API and inject a JavaScript loader into every published article. Visitors to those articles see what looks like a Cloudflare Turnstile verification page — complete with official branding, fake Ray IDs, and a checkbox. When a visitor clicks the checkbox, a PowerShell command is silently copied to their clipboard. The page then instructs them to open Windows Run (Win+R), paste, and press Enter.
This is a ClickFix attack — a social engineering technique that has become a dominant delivery mechanism in 2026. The executed PowerShell script disables Windows AMSI (antivirus scanning) and ETW event logging, then drops a Lua-based malware loader that connects to a command-and-control server. No visitor-side software vulnerability is involved. The attack relies entirely on users trusting a familiar-looking prompt on a site they already visit.
700 Sites, Including the Ones You’d Trust Most
XLab, the threat intelligence team at Qianxin, confirmed over 700 compromised domains. The list includes Harvard, Oxford, Auburn University, and DuckDuckGo, alongside AI startups, fintech companies, and security blogs. The victims are not random. Ghost is the CMS of choice for developer-focused publications and independent tech journalists. Their readers are technically literate people who recognize a Cloudflare verification page and follow instructions without second-guessing them — which is precisely why this attack was designed for these sites.
This also fits the broader 2026 trend the Verizon DBIR flagged earlier this month: exploits are now the leading initial access vector, overtaking stolen credentials. Attackers are scanning for unpatched CVEs within days of publication and weaponizing them at scale.
The Patch Existed. Nobody Installed It.
Ghost 6.19.1 shipped February 19, 2026 — three months before mass exploitation began. Ghost Pro users on managed hosting were patched automatically and are not at risk. Self-hosted Ghost requires manual updates, and clearly a significant number of administrators skipped this one. The pattern is not new: a critical patch drops, administrators deprioritize it, attackers watch the CVE database, and mass exploitation follows. What has changed is the timeline. Three months is now a comfortable window for a well-organized campaign to identify every unpatched installation and hit them all.
What to Do Right Now
If you run a self-hosted Ghost instance, work through this checklist in order. Do not skip step 2 — upgrading alone is not enough if your admin key was already stolen.
- Upgrade to Ghost 6.19.1 or later immediately. Check the Ghost update documentation for your deployment method. This closes the SQL injection but does not revoke keys that were already extracted.
- Rotate all credentials. Admin API Key, Content API Key, administrator passwords, and session tokens — all of them. Any credential generated while running a vulnerable version must be treated as compromised.
- Audit your published articles for injected JavaScript. Check raw HTML output, not just the Ghost editor view. Injected loader scripts may not render visibly in the admin interface but will be present in the published markup.
- Review your Admin API access logs. Look for unauthorized bulk article edits or API calls that do not correspond to your own activity. Retain at least 30 days of logs and check against the indicators of compromise published by XLab in the CVE-2026-26980 advisory.
- Notify your readers if you find evidence of compromise. Visitors who may have encountered the fake Cloudflare prompt need to run local security checks. The malware drops silently — they may not know they were targeted.
Ghost Pro users: you are not affected. This is a self-hosted-only problem.
The Real Problem Is Update Discipline
CVE-2026-26980 is not a sophisticated vulnerability. It is a SQL concatenation bug — the type covered in introductory security courses as a canonical example of what not to do. The patch is a straightforward parameterization fix. What made it dangerous at scale was the combination of a widely used CMS, manual update requirements, and three months of administrative inertia. The 700-site compromise is not primarily a Ghost story. It is an update discipline story. Attackers are running automated scans against the CVE database. If you own a self-hosted CMS with public endpoints, your update schedule is your threat surface. Treat it accordingly.
