A significant malware campaign, termed ClickFix, has hijacked over 700 education and tech websites by exploiting a SQL injection vulnerability (CVE-2026-26980) in the Ghost Content Management System. Attackers injected malicious JavaScript that prompts users with a fake Cloudflare verification, tricking them into executing harmful commands that install malware.
This vulnerability, impacting Ghost versions 3.24.0 to 6.19.0, allows illicit access to the site's database, compromising admin keys and facilitating further exploitation. Website managers are urged to update to the latest patched version to mitigate threats, while users are advised to practice caution when following webpage instructions and running commands. Preventative measures include using up-to-date anti-malware solutions and being wary of copy-pasting commands from untrusted sources.