XLab discovered a large-scale campaign exploiting CVE-2026-26980 in Ghost CMS to steal admin API keys and inject malicious JavaScript that drives ClickFix attack flows. The activity has affected more than 700 domains, including sites linked to Harvard University, Oxford, Auburn University, and DuckDuckGo, and leveraged payloads such as UtilifySetup.exe. #GhostCMS #CVE-2026-26980 #ClickFix #UtilifySetup.exe #HarvardUniversity #OxfordUniversity #AuburnUniversity #DuckDuckGo
Keypoints
- CVE-2026-26980 affects Ghost 3.24.0 through 6.19.0.
- Attackers can read arbitrary database data and steal admin API keys.
- More than 700 domains have been impacted across many sectors.
- Injected JavaScript loads cloaking code and delivers a fake Cloudflare ClickFix prompt.
- Payloads seen include DLL loaders, JavaScript droppers, and UtilifySetup.exe.