ctipilot.ch

Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1

cve · CVE-2026-26980

Coverage timeline
3
first 2026-05-25 → last 2026-05-31
Peak priority
high
1 high · 2 notable
Sources cited
11
4 hosts
Sections touched
3
deep-dive, trending-vulnerabilities, weekly-top-stories
Co-occurring entities
1
see Related entities below
ATT&CK techniques
10
pinned v19.1 · see below

ATT&CK techniques

10 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗

T1659Content Injection×1

Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.

Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗

Execution TA0002

T1059Command and Scripting Interpreter×1

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗

T1059.001Command and Scripting Interpreter: PowerShell×1

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗

T1059.003Command and Scripting Interpreter: Windows Command Shell×1

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.

Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗

T1204User Execution×1

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.

Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗

T1204.002User Execution: Malicious File×1

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.

Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗

Stealth TA0005

T1480Execution Guardrails×1

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.

Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗

Credential Access TA0006

T1552Unsecured Credentials×1

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Shell History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).

Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗

Command and Control TA0011

T1105Ingress Tool Transfer×1

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗

T1659Content Injection×1

Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.

Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗

Story timeline

  1. 2026-05-25Ghost CMS CVE-2026-26980 → ClickFix: the CMS-compromise-to-endpoint kill chain
    deep-dive
  2. 2026-05-25CVE-2026-26980 — Ghost CMS unauthenticated blind SQL injection, mass-exploited into a ClickFix infostealer chain
    weekly-top-stories
  3. 2026-05-25CVE-2026-26980 — Ghost CMS Content API: unauthenticated blind SQL injection in the slug filter, actively exploited
    trending-vulnerabilities

Where this entity is cited

  • trending-vulnerabilities1
  • weekly-top-stories1
  • deep-dive1

Source distribution

  • attack.mitre.org8 (73%)
  • bleepingcomputer.com1 (9%)
  • blog.xlab.qianxin.com1 (9%)
  • github.com1 (9%)

Related entities

Entries about Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 (3)

2026-05-25 · view entry permalink →

NOTABLECVE-2026-26980exploited

Ghost CMS CVE-2026-26980 → ClickFix: the CMS-compromise-to-endpoint kill chain

Background. CVE-2026-26980 was disclosed and patched in Ghost 6.19.1 on 19 February 2026, and SentinelOne reported in-the-wild exploitation and detection guidance by 27 February (BleepingComputer, 2026-05-24). The May activity XLab documented is not a new bug but a large-scale weaponisation of the unpatched long tail of self-hosted instances, repurposing compromised editorial sites as a high-traffic, low-attributable delivery surface for ClickFix social engineering (XLab Qianxin, 2026-05-21). ClickFix / FakeCaptcha — tricking a user into pasting an attacker-supplied command into the Run dialog or a terminal — has been a tracked initial-access technique since 2024; what is notable here is the combination of a CVSS-9.4 pre-auth CMS flaw as the distribution mechanism with a fingerprinting/cloaking stage that keeps the lure invisible to non-targets and to casual review.

Kill chain → MITRE ATT&CK.

  • Initial access — T1190 Exploit Public-Facing Application. Unauthenticated boolean-based blind SQL injection through the Content API's slug filter parameter. No credentials, no user interaction — the request pattern the vendor mitigation keys on is a query string containing slug:[ (slug%3A%5B).
  • Credential access — T1552 Unsecured Credentials. The injection is used to read the admin API key out of Ghost's database. This key is a bearer token with full content-management scope, so its theft is the privilege pivot — there is no separate authentication step after extraction.
  • Content injection / defacement — T1659 Content Injection. With the admin key the attacker injects a lightweight JavaScript loader into published articles and/or theme templates, so the malicious code is served to every visitor from the site's own trusted origin.
  • Execution-guardrails cloaking — T1480 Execution Guardrails. The loader fetches a second-stage cloaking script that fingerprints each visitor and only proceeds for those matching the target profile (e.g. Windows desktop), so most visitors and most analysts never see the lure.
  • User execution — T1204.002 User Execution: Malicious File, chained to T1059.001 PowerShell / T1059.003 Windows Command Shell. Qualifying visitors are shown a fake Cloudflare "verify you are human" prompt in an overlay iframe instructing them to paste a supplied command into the Windows Run dialog (Win+R) or a terminal.
  • Payload delivery — T1105 Ingress Tool Transfer. The pasted command pulls follow-on payloads; XLab observed DLL loaders, JavaScript droppers, and an Electron-based sample named UtilifySetup.exe, leading to info-stealer / RAT capability.

Detection concepts (no IOCs). Two distinct hunt surfaces:

  • Server-side, for Ghost operators. Review web-server / reverse-proxy access logs for Content API requests to /ghost/api/content/ whose filter/slug parameter contains slug:[ (slug%3A%5B) or boolean-blind SQL artefacts (AND, CASE, time-delay primitives) — the vendor mitigation pattern is the highest-fidelity signal. In the Ghost admin audit trail, alert on unexpected article or theme modifications, and on any <script> element appearing in post content or theme files that has no editorial counterpart.
  • Client-side, for everyone (the product-agnostic, higher-value hunt). The ClickFix execution chain is independent of Ghost and is the artefact most defenders can actually catch: Sysmon Event ID 1 / Windows 4688 for cmd.exe or powershell.exe (especially with -EncodedCommand, clipboard-paste context, mshta, curl/certutil download cradles) whose parent process is a browser (chrome.exe, msedge.exe, firefox.exe, brave.exe) or explorer.exe immediately following a Win+R Run-dialog launch. Flag execution of unsigned Electron applications from user-writable paths. Enable PowerShell Script Block Logging (Event ID 4104) to capture the pasted stager body.

Hardening / mitigation.

  • Ghost: upgrade to 6.19.1 or later; until then block slug:[ / slug%3A%5B at the WAF and restrict the public Content API to trusted origins. Assume the admin API key was stolen on any internet-exposed instance — rotate it after patching and audit all posts and theme files for injected scripts.
  • Endpoint (the ClickFix surface, applies broadly): where operationally feasible, disable the Win+R Run dialog for standard users via the NoRun policy (GPO), deploy detection for clipboard-to-shell execution, and run user-awareness that any web page asking you to "paste this command to prove you are human" is an attack. Constrained Language Mode plus full PowerShell logging reduces the blast radius of a successful paste.

Background.

ctipilot v2 brief (migrated)
vulnerability25 May 05:00Zmulti-sourceOpen finding ↗

2026-05-25 · view entry permalink →

NOTABLECVE-2026-26980exploited

CVE-2026-26980 — Ghost CMS unauthenticated blind SQL injection, mass-exploited into a ClickFix infostealer chain

If you did nothing this week: self-hosted Ghost CMS instances are being mass-compromised through an unauthenticated blind SQL injection in the Content API slug filter, then weaponised as ClickFix social-engineering pages that serve infostealers to their own visitors.

XLab (Qianxin) and BleepingComputer document a large-scale campaign exploiting CVE-2026-26980 (CVSS 9.4, first covered 2026-05-25, GitHub advisory GHSA-w52v-v783-gw97). The dual-use is what makes this a §1 item rather than a routine SQLi: the same flaw both compromises the publishing platform and turns it into a watering hole. Public-sector, education and media organisations running self-hosted Ghost should patch to the fixed release and check for ClickFix-style injected content and unexpected database reads against the Content API.

If you did nothing this week: self-hosted Ghost CMS instances are being mass-compromised through an unauthenticated blind SQL injection in the Content API slug filter, then weaponised as ClickFix social-engineering pages that serve infostealers to their own visitors.

ctipilot v2 brief (migrated)
synthesis25 May 05:00Zmulti-sourceOpen finding ↗

2026-05-25 · view entry permalink →

HIGHCVE-2026-26980exploited

CVE-2026-26980 — Ghost CMS Content API: unauthenticated blind SQL injection in the slug filter, actively exploited

CVE-2026-26980 is an unauthenticated SQL injection (CWE-89) scored CVSS 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) in Ghost's Content API. The defect sits in the handling of the slug filter parameter, which is interpolated into a raw SQL fragment without parameterisation; a remote attacker with no authentication can perform boolean-based blind extraction of arbitrary database contents — critically the admin API key, which then grants full content-management scope over articles, themes and users (GitHub Security Advisory GHSA-w52v-v783-gw97). Affected versions span Ghost 3.24.0 through 6.19.0 (a roughly three-year release range); the fix shipped in 6.19.1 on 19 February 2026. Ghost(Pro) cloud instances were patched server-side; self-hosted operators must upgrade themselves, which is the exposed long tail the current campaign targets (BleepingComputer, 2026-05-24).

The CVE clears the § 2 bar on exploitation: SentinelOne documented in-the-wild exploitation as early as 27 February, and XLab confirmed the present large-scale wave (700+ compromised domains) on 21 May (XLab Qianxin, 2026-05-21). Mitigation: upgrade to 6.19.1 or later. Interim compensating controls — block Content API requests whose query string contains slug:[ (URL-encoded slug%3A%5B) at the WAF and restrict or disable the public Content API to trusted origins; the vendor mitigation targets exactly that request pattern. Because the admin API key is the exfiltration target, treat it as compromised on any exposed instance and rotate it after patching, then audit posts and themes for injected JavaScript. Full kill chain and detection in § 5.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-26980 Ghost CMS (Content API) 9.4 n/a No Yes (ITW, 700+ sites) v6.19.1 GHSA-w52v-v783-gw97

CVE-2026-26980 is an unauthenticated SQL injection (CWE-89) scored CVSS 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) in Ghost's Content API.

ctipilot v2 brief (migrated)
vulnerability25 May 05:00Zmulti-sourceOpen finding ↗