Global Ghost CMS flaw exploited to steal admin keys and push ClickFix scam

A widespread campaign abused a critical Ghost CMS SQL injection (CVE-2026-26980) affecting versions 3.24.0–6.19.0 to read database data and steal admin API keys, then injects malicious JavaScript into articles. The loader fetches a second-stage payload that triggers a fake Cloudflare prompt and a ClickFix lure, leading victims to a Windows command prompt instruction and subsequent malware downloads. High-profile targets (Harvard, Oxford, Auburn, DuckDuckGo) were affected. Ghost released fix 6.19.1 on Feb 19, but many sites have not updated. Action items: upgrade to 6.19.1+, rotate all exposed keys, and review up to 30 days of admin API call logs to identify IoCs and remove injected scripts.