Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

A large-scale campaign is exploiting CVE-2026-26980 in Ghost CMS (affecting versions 3.24.0–6.19.0) to steal admin API keys and inject malicious JavaScript that loads a cloaked ClickFix flow; the injected code fingerprints visitors and serves a fake Cloudflare prompt that tricks victims into running commands which drop payloads (DLL loaders, JavaScript droppers, and an Electron-based UtilifySetup.exe). XLab researchers reported more than 700 compromised domains including university portals and other high-profile sites, observed multiple activity clusters and reinfections, and recommend upgrading to Ghost 6.19.1, rotating exposed keys, reviewing admin API logs, and scanning for provided IoCs.