A security flaw in Ghost CMS — a popular platform used by bloggers, universities, and news outlets — has been actively exploited to hijack more than 700 websites and trick their visitors into installing malware. Attackers used the vulnerability (CVE-2026-26980) to sneak malicious code into articles, which then displays a fake “Cloudflare verification” pop-up on top of legitimate web pages.
The fake prompt tells you to copy a command and paste it into your Windows command prompt to prove you are human. Running it installs malware on your computer. This type of scam is known as “ClickFix.” Affected sites have included portals at Harvard University, Oxford University, and DuckDuckGo. The patch has been available since February 2026, but many site owners have not yet applied it.
How to check if you’re affected
Affected versions of Ghost CMS are 3.24.0 through 6.19.0. If you run a Ghost CMS website, check your version in the admin panel under Settings → About and upgrade to 6.19.1 or later immediately. Also rotate your admin API keys, as they may have been stolen.
If you are a visitor who encountered a pop-up on a website asking you to paste a command into Windows, do not do it. If you already did, run a scan with your antivirus software right away. Legitimate websites and Cloudflare will never ask you to run terminal commands to prove you are human.