Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

Security researchers observed threat actors exploiting a critical SQL injection (CVE-2026-26980, CVSS 9.4) in Ghost CMS to steal Admin API keys and bulk-inject a two-stage JavaScript loader into articles on 700+ sites across universities, blockchain, AI, SaaS, media and fintech. The loader uses a commercial cloaking service to fingerprint visitors and serve a fake CAPTCHA that tricks victims into running a Base64 command, which downloads archives that execute PowerShell/JavaScript to deliver DLLs or installers (including a signed PuTTY binary and a modified Electron app) that maintain persistence and poll a command server; operators can swap payloads remotely. Users are advised to upgrade Ghost, rotate credentials, clean sites, audit logs, and notify potentially impacted visitors.