Ghost CMS Vulnerability Exploited to Infect 700 Sites With ClickFix Malware

Researchers observed active exploitation of a critical Ghost CMS SQL injection (CVE-2026-26980) that allows attackers to extract Admin API keys, modify site content at scale, and inject JavaScript loaders that chain into fingerprinting, social-engineered CAPTCHA prompts, and delivery of ClickFix-style malware (including data-stealing variants) across 700+ domains spanning academia, media, and SaaS. The campaign uses automated reinfection, infrastructure rotation, and legitimate utilities (e.g., rundll32) to execute payloads, persistent backdoors, and C2 communications; immediate patching, API key rotation, and content/log inspections are strongly advised.