Ghost CMS vulnerability: Large-scale attack with CAPTCHA traps

A large-scale attack campaign has been uncovered, targeting websites using the Ghost CMS. Although a patch was released several months ago, delayed updates have caused hundreds of websites, including those of reputable organizations, to become tools for distributing malware.

Fatal flaw from SQL Injection error

The focus of this attack wave is the vulnerability coded CVE-2026-26980 with a near-perfect CVSS score (9.4/10.0). This is a SQL Injection error - attackers can send malicious commands into the system to force the database to reveal sensitive information.

Notably, this vulnerability was first discovered by Anthropic's AI, Claude, in February 2026. Without updating to version 6.19.1 or later, hackers can easily obtain the Admin API Key without logging in. Once they have this key, they gain full control to change content and insert malicious code into numerous articles on the website.

ClickFix and CAPTCHA traps

After gaining control of the website, hackers do not cause immediate damage but silently insert JavaScript snippets at the end of each article. Their goal is to execute a ClickFix attack.

When users visit an infected site, they see a message requesting CAPTCHA verification - a sophisticated trap created by hackers. The website instructs users to copy an encoded string and paste it into the Run dialog box on their Windows computer. If followed, users unknowingly install a type of spyware, allowing hackers to remotely control the computer and steal personal data.

Sophistication in hiding traces

To avoid detection, cybercriminal groups used an anonymization service called Adspect to categorize visitors. If the visitors are security scanning tools or search robots (such as Googlebot), they only see a normal website. Only real users are redirected to pages containing malware and phishing traps. This sophistication helps the campaign persist longer without being detected early by antivirus software.

Large-scale “poisoning” campaign

According to a report from the security firm QiAnXin, more than 700 websites have been affected by this attack. The list of victims ranges from personal blogs to major entities such as Harvard University, Oxford, or the search engine DuckDuckGo. Additionally, sectors like Blockchain, AI, and Fintech are top targets due to their high volume of valuable user traffic.

Experts even discovered at least two different hacker groups "competing" for control over the same victim website, taking turns inserting their own malicious code within the same day.

This incident is an urgent reminder about maintaining security for content management systems. In the era of AI and sophisticated attacks, delaying a patch update by even a few months can lead to unforeseen consequences for both website owners and users.

References:

• Ghost CMS Vulnerability Exploited to Hack Over 700 Websites - SecurityWeek

• Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks - The Hacker News