ATLAS · LIVE
ATLAS INDEX
Δ 24H
ACTIVE SOURCES20
HOTSPOTS20
TIME21:39:17 UTC
← All briefs
CRITICALCyber IntelligenceMonday, May 25, 2026

Ghost CMS SQL flaw exploited in ClickFix malware campaign

Critical vulnerability in popular publishing platform allows attackers to inject malicious JavaScript, triggering social engineering attacks at scale.

A critical SQL injection vulnerability in Ghost CMS is being exploited in a large-scale campaign that injects malicious JavaScript to trigger ClickFix social engineering attacks. The flaw, tracked as CVE-2026-26980, allows attackers to compromise Ghost-powered websites and deploy code that manipulates visitors into executing harmful commands.

Ghost CMS is an open-source publishing platform used by thousands of websites, including media outlets, independent publishers, and corporate blogs. The vulnerability enables attackers to inject arbitrary code into the database through crafted SQL queries, bypassing normal security controls.

The ClickFix technique tricks users into copying and executing malicious commands by presenting fake error messages or system prompts. Once injected into a compromised Ghost site, the malicious JavaScript displays convincing overlays that instruct visitors to run PowerShell commands or other system-level instructions, often under the guise of fixing a technical problem or verifying their identity.

The rest of this brief is inside the platform

Continue reading. Free.

A free Atlas account unlocks the full briefing, the co-analyst, daily delivery to your inbox, and a sector-personalised feed.

Full brief
Implications, sources, methodology
Co-Analyst
Ask follow-ups on every brief
Sector feed
Briefs filtered to what matters to you
Implications
  • 01Ghost CMS operators face immediate compromise risk without available patch guidance
  • 02Visitors to compromised sites may execute malware through convincing social engineering
  • 03Media and publishing organizations using Ghost require urgent security reviews
  • 04Enterprises hosting Ghost blogs face potential lateral movement from compromised instances
Source
BleepingComputer
https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/
Brief is editorial commentary by Atlas Intelligence based on the cited public reporting. Atlas does not reproduce source text. Verify primary source before action.
#ghost cms#sql injection#clickfix#social engineering#cve-2026-26980#web security
Related Briefs