Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

The Hacker News by The Hacker News
May 25, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananMay 25, 2026Vulnerability / Web Security

Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks.

According to QiAnXin XLab, the activity involves the exploitation of CVE-2026-26980 (CVSS score: 9.4), an SQL injection vulnerability in Ghost’s Content API that could allow an unauthenticated attacker to read arbitrary data from the database. The security flaw was addressed in February 2026 in version 6.19.1. The vulnerability was discovered by Anthropic using Claude.

What makes the vulnerability severe is that it allows an attacker to gain access to a site’s admin API key without permission, granting them the ability to poison the site by injecting malicious code. The admin API key can be used to invoke the admin API and can directly modify articles published on the content management system.

The threat actor leveraged the security flaw to “obtain the target site’s Admin API Key without authorization, and then used the Ghost Admin API to tamper with articles in bulk, injecting malicious JavaScript loaders at the bottom of the pages to assist fake CAPTCHA attacks,” XLab said.

The activity has been described by the Chinese security vendor as a “large-scale poisoning” campaign weaponizing the Ghost CMS flaw. At least two different threat clusters are assessed to be behind the campaign, in some cases implanting certain sites with malicious code within a single day. It was first detected on May 7, 2026.

In all, the campaign has compromised more than 700 websites, spanning universities, blockchain, artificial intelligence, software-as-a-service (SaaS), security research, media, and financial technology sectors. The fact legitimate websites have been breached could further increase the success rate of the ClickFix attacks, XLab said.

The injected JavaScript code at the bottom of an article functions as a two-stage loader that’s responsible for retrieving the main payload at runtime from an external domain (“clo4shara[.]xyz/11z77u3.php”). This architecture offers added flexibility as it enables the threat actor to swap out the payloads based on different criteria, while keeping the loader functionality intact across several compromised sites.

“Directly accessing clo4shara[.]xyz/11z77u3.php reveals a piece of code, which is actually a typical traffic distribution script,” XLab explained. “Its core function is to collect various fingerprint information from the user’s browser and upload it to the server, then perform actions such as redirection, popups, and downloads based on the returned instructions.” The PHP script is powered by Adspect, a commercial cloaking service.

The idea behind using the cloaking script is to ensure that only real victims are served the actual payload, while security scanners and crawlers will only see a benign web page. The script also supports 19 different commands to run arbitrary JavaScript code and facilitate remote control of the victim’s browser.

Site visitors deemed as the intended targets are ultimately served a fake CAPTCHA verification page within an iframe HTML element to prove they are human. This, in turn, triggers a ClickFix attack, as part of which they are instructed to copy and paste a Base64-encoded command into the Windows Run dialog.

The command serves as a dropper for delivering a ZIP archive and extracts from it a Windows batch script and runs it. The script, for its part, executes a PowerShell command to download a DLL file from a remote domain, launch it using “rundll32.exe,” and open a bogus web page to the user as a distraction.

Subsequent iterations of the malware have been found to replace the DLL with a JavaScript payload. Regardless of the type of the payload, the end goal of the attack is to drop a Windows executable. In the case of the DLL, the executable is a PuTTY client with a valid code-signing certificate. The binary distributed via JavaScript is an Inno Setup installer for an Electron application.

The application is a modified version of the open-source Grape desktop client that’s designed to achieve persistence and poll a remote server (“web-telegram[.]ug”) every 30 seconds to process instructions issued by the attacker, including running JavaScript code or executable files.

Ghost CMS users are advised to upgrade their instances to the latest version, rotate all credentials, clean up the sites, audit access logs for signs of suspicious activity, and notify users who may have visited the sites during the contamination period for potential compromise.



Source link

The Hacker News

The Hacker News

Next Post
Thermal Printer Manufacturer ZYWELL Achieves 100+ Patent Milestone and Expands Presence Across 100+ Countries

Thermal Printer Manufacturer ZYWELL Achieves 100+ Patent Milestone and Expands Presence Across 100+ Countries

Recommended.

Gaming Accessories Market Surges to USD 30.10 Billion by 2033, Propelled by 8.10% CAGR – Verified Market Reports®

Gaming Accessories Market Surges to USD 30.10 Billion by 2033, Propelled by 8.10% CAGR – Verified Market Reports®

February 9, 2026
GameStop to invest corporate cash in bitcoin, following in footsteps of MicroStrategy

GameStop to invest corporate cash in bitcoin, following in footsteps of MicroStrategy

March 25, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
British Space Startup Launches Longevity Lab Into Orbit

British Space Startup Launches Longevity Lab Into Orbit

July 7, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio