Ghost CMS Just Hit Seven Hundred Sites With ClickFix. We Had The Detection Rule Six Days Early.

The Hacker News this morning reports that Ghost CMS CVE-2026-26980, the unauthenticated SQL-injection vulnerability disclosed earlier this month, has now been exploited to compromise more than seven hundred websites running the platform. The injection payload deploys a ClickFix attack chain that pivots visitors of the compromised Ghost-served pages into the standard Russian-language clipboard-hijacking flow — copy a malicious PowerShell command, paste it into Windows Run, execute. The ClickFix chain has been operationally documented in our index across two hundred and seventeen prior records this year. It is one of the highest-conversion social-engineering loaders currently operating against the consumer Windows population.

This post is a six-day receipt. DugganUSA's exploit-harvester cron caught the public proof-of-concept for CVE-2026-26980 on May 20, 2026, six days before today's mass-exploitation phase fired. The harvester surfaced the Kulik-Labs-Development/Ghost-CMS-Code-Injection-Audit-[CVE-2026-26980](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-26980) repository, parsed the PoC, emitted one detection rule against the /ghost/api/admin/ endpoint pattern, and indexed both the marker record and the detection rule under source=exploit-harvester in the iocs index. Customers consuming our STIX feed had the deny-list pattern available six days before the attack at scale began. The receipt is timestamped 2026-05-20T18:00:57.

The two-tier Ghost CMS picture

CVE-2026-26980 is the SQLi we surfaced on May 20. CVE-2026-29053 is the more dangerous Ghost RCE — theme upload as server-side execution primitive — which we ingested into our iocs index yesterday after publishing the triad/quartet indirect-trust doctrine post. The Ghost CMS attack surface in May 2026 has two distinct lanes:

The fast lane is the SQLi. CVE-2026-26980 is unauthenticated, the public PoC is one HTTP request long, and the resulting database read can be turned into a content-injection payload within the same automated scan cycle. That is what hit seven hundred sites today. The mass-exploitation playbook is: scan Ghost installations identified via response-header fingerprinting, inject the SQLi against /ghost/api/content/posts/, modify post content to inject the ClickFix HTML payload, move on. End-to-end automation. The ClickFix chain runs against any visitor of the compromised site until the operator notices and rolls back.

The slow lane is the RCE. CVE-2026-29053 requires theme upload privileges, which require admin auth, which requires a chain through the SQLi or stolen credentials. The RCE has not yet been used in a documented public campaign — but it is the higher-impact path, and the actors that exploit at scale will inevitably stack the SQLi as the gateway and the RCE as the payload-delivery layer.

The defensive posture: patch immediately to Ghost 6.19.1 or later. Until then, treat the /ghost/api/admin/themes/upload endpoint and the /ghost/api/content/posts/ injection point as adversarial-by-default. Every Ghost site on the public internet that has not patched to 6.19.1 is in the active scan population this week.

What the six-day receipt buys

It buys nothing for the seven hundred sites already compromised today. It buys everything for the sites that consumed our STIX feed on May 20 and pushed the deny-list and detection rule into their secure email gateway, web proxy, and database-query monitoring. The difference between threat intelligence as a product and threat intelligence as a hot take is the gap between the timestamp of the indicator's arrival in your feed and the timestamp of the mass-exploitation campaign that uses that indicator.

For Ghost CMS specifically, the six-day window was bounded on both ends. On the front end, the public PoC repository on GitHub was indexable as soon as it was published — but the typical defender pipeline does not poll GitHub for exploit research. Our github-hunt-cron and exploit-harvester crons do. On the back end, the mass-exploitation phase fired six days later, faster than most CVE-management cycles can respond. The defender who saw the indicator on May 20 had time to patch, deny-list, or both. The defender who first saw it via the May 26 news cycle is, statistically, already running compromised Ghost on at least one of their public properties.

The wider pattern

This is the third receipt in three days that came in below the public news cycle. Megalodon C2 was indexed by us forty-nine days before the attack. The Late 2025 Western US UAP orb-swarm case was sitting in PURSUE Release 1 for seventeen days before any major outlet named it. The Ghost CMS detection rule was published in our feed six days before the seven-hundred-site exploitation phase. None of these were lucky finds. All three were what a properly-run threat-intelligence corpus produces when you query it cross-correlationally, which the broader defender community does not consistently do.

The detector finds the case. The case is timestamped. The receipt is open.

Patch Ghost. Pin to 6.19.1 or later. Treat every unpatched Ghost installation as adversarial-by-default for the rest of this week. The next phase will combine the SQLi with the RCE. The pieces are in place.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com