GoKawiilA large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows.
The campaign was discovered by XLab threat intelligence researchers at Chinese cybersecurity company Qianxin, who confirmed impact on more than 700 domains, including university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs.
According to the researchers, threat actors planted malicious code on the websites of Harvard University, Oxford University, Auburn University, and DuckDuckGo.
Compromised sites
Source: XLab
CVE-2026-26980 impacts Ghost 3.24.0 through 6.19.0, and allows unauthenticated attackers to read arbitrary data from the website database, including the admin API keys.
This key gives management access to users, articles, and themes, and can be used to modify article pages.
Although the fix for the issue was released on February 19 in Ghost CMS version 6.19.1, many sites failed to install the security update.
SentinelOne published on February 27 details about CVE-2026-26980 being exploited in attacks and how incidents can be detected. The researchers observed at least two distinct activity clusters targeting vulnerable Ghost sites, sometimes re-infecting the same domains with different scripts after cleanup, or one cleaning the script of the other to inject its own.
Timeline of the attacks
... continue reading