Ghost CMS FakeCaptcha Campaign Exploiting CVE-2026-26980

Executive Summary

This campaign documents ongoing exploitation of the Ghost CMS SQL Injection vulnerability CVE-2026-26980 to poison vulnerable sites and inject malicious JavaScript. Qianxin describes a large-scale campaign with at least two active groups targeting Ghost installations and redirecting visitors to FakeCaptcha-style flows that can trigger malware delivery.

Public reporting on May 7, 2026 first highlighted the poisoning of a client Ghost site and a broader sweep of hundreds of compromised public sites. The campaign appears operationally repeatable across many domains and uses a two-step delivery chain: SQL-injection-enabled takeover of content, then dynamic JavaScript-based redirection to a click prompt that encourages command execution.

Attribution remains Unknown in this record. The available sources identify recurring operational patterns and shared tooling, but not confirmed actor identity.

Technical Analysis

The underlying vulnerability chain is consistent with a CMS supply-chain compromise model. Qianxin reports attackers obtaining Admin API keys from vulnerable Ghost deployments and modifying pages in bulk to inject malicious code at the bottom of articles. The code path includes a loader and a remote cloaking endpoint that can change payload behavior by visitor context.

The NVD and GitHub advisory entries define the exploit basis as a blind SQL injection in Ghost Content API affecting versions from 3.24.0 through 6.19.0, patched in 6.19.1. In practical campaign use, this weakness is used to obtain privileged API material, which enables page modification at scale.

The observed attacker workflow emphasizes infrastructure automation and campaign velocity: compromised hosts become landing surfaces, while payload selection and victim-specific delivery are handled through remote script logic in a second stage. This model allows operators to keep the initial site poisoning infrastructure relatively stable while changing secondary instructions over time.

Attack Chain

Stage 1: CMS SQL Injection Compromise

Operators scan for vulnerable Ghost installations and leverage CVE-2026-26980 to access database contents without authentication. This grants enough leverage to steal Ghost Admin API keys in the campaign cases documented.

Stage 2: Bulk Page Poisoning

Using extracted admin capability, attackers insert JavaScript loader snippets into article pages. Qianxin observed bulk tampering behavior and repeated replacement activity across poisoned targets, with more than one actor active in this same campaign window.

Stage 3: Two-Stage Delivery Setup

The injected loader contacts a remote endpoint and returns instructions that can change per request. This gives operators control of the next action without repeated re-compromise of the publishing platform.

Stage 4: FakeCaptcha Lure

Victims are redirected to spoofed human-verification pages that resemble legitimate anti-bot challenges. The interaction flow encourages users to open command execution dialogs and paste commands, which can lead to malware execution.

Stage 5: Payload Distribution and Follow-on Risk

Qianxin observed upgraded payload behavior over time, including a loader-to-stealer progression. In campaign operations, that indicates modularity and a living delivery chain, not a fixed single malware hash.

MITRE ATT&CK Mapping

T1190 - Exploit Public-Facing Application: CVE-2026-26980 is an unauthenticated SQL injection vulnerability in Ghost Content API, used as the entry point to compromise site content workflows.

T1059.001 - PowerShell: Qianxin reported users are lured into a FakeCaptcha flow that prompts command execution through local instructions.

T1204.003 - Malicious Image: Qianxin’s reported flow includes user interaction and follow-on execution behavior to drive command-driven payload steps.

T1059.003 - Windows Command Shell: Reported social-engineering instructions include command-window prompts that can be used to execute secondary payload logic.

Timeline

2026-02-16 — CVE Disclosure and Advisory Publication

GitHub published advisory GHSA-w52v-v783-gw97 for Ghost Content API SQL injection, including affected versions and fixed release guidance.

2026-02-20 — NVD Record Publication

NVD records the vulnerability with public severity and affected-version details, and references the same GitHub advisory and fixes.

2026-05-07 — First Reported Poisoning Detection

Qianxin reports detection of page poisoning traits on a Ghost site and traces them to automated exploitation flow against unpatched instances.

2026-05-10 to 2026-05-17 — Expansion Phase

Qianxin reports iterative enumeration rounds with confirmed victim domain counts rising to 700+, with active domain changes and evolving staging behavior.

Remediation & Mitigation

Defenders should treat public Ghost CMS installations as high-priority patch targets and apply version 6.19.1 (or later) updates as the first control step. Audit admin API key handling and rotate keys on any site where compromise is suspected.

Operationally, monitor for unexpected Ghost article changes and unusual front-end behavior including unexpected loader scripts and redirected verification prompts. Security operations should include:

• Hardening and token hygiene for Ghost Admin API keys.
• Strong change detection on publication surfaces (including article HTML and injection behavior).
• Protection against known cloaking/abuse indicators and blocked domains used in historical stages.
• Endpoint controls and user education around pop-ups requesting command-line execution.

Sources & References

• QiAnXin: Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks — QiAnXin, 2026-05-21
• GitHub Advisory: GHSA-w52v-v783-gw97 — GitHub Advisory, 2026-02-16
• National Vulnerability Database: CVE-2026-26980 — National Vulnerability Database, 2026-02-20