Ghost CMS flaw abused to push ClickFix attacks on hundreds of sites

Attackers are actively exploiting a patched SQL injection in Ghost CMS (CVE-2026-26980) to extract Admin API keys and compromise over 700 unpatched sites, including universities; injected JavaScript redirected visitors to a fake CAPTCHA 'ClickFix' flow that social-engineered users into running commands which delivered malware. The campaign is highly automated (bulk scanning, automatic key extraction, bulk injection, dynamic C2), involves at least two competing groups, and includes IoCs—site owners are advised to patch Ghost, rotate credentials, remove injected scripts from the database, and review logs.