CVE-2026-25544 - Vulnerability Details

- Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters

Description

Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0.

Published: 2026-02-06

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A blind SQL injection flaw exists in the PayloadCMS headless content management system when querying JSON or richText fields. User-supplied input is inserted directly into PostgreSQL or SQLite SQL statements without proper escaping, allowing an attacker to reveal sensitive information such as email addresses and password reset tokens. Because the vulnerability is unauthenticated, the compromised data can be used to take over user accounts without needing to guess or crack passwords. The weakness corresponds to CWE-89, representing an injection attack.

Affected Systems

Versions of PayloadCMS below 3.73.0 are affected. The vulnerability applies to the PayloadCMS open‑source headless CMS, which typically runs on a Node.js runtime and relies on PostgreSQL or SQLite adapters for data storage. All installations of PayloadCMS that have not upgraded past version 3.73.0 are potentially exposed.

Risk and Exploitability

The CVSS score is 9.8, indicating a critical severity level. However, the EPSS score is less than 1 %, implying a very low probability of exploitation in the wild at present. The vulnerability is not listed in the CISA KEV catalog, but because it permits full account takeover, the impact to confidentiality, integrity, and availability is high. Attackers exploit it by sending crafted JSON or richText queries to the CMS without authenticating, extracting data and hijacking accounts through the revealed credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

payloadcms

payload

affected

Version	Status	Constraints
`< 3.73.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*

No data.

Vendor	Product	Confidence	Versions
Payloadcms	Payload	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade PayloadCMS to version 3.73.0 or later, where the injection issue is fixed.
If an immediate upgrade is not possible, remove or limit access to JSON and richText fields in external query interfaces to prevent injection attempts.
Ensure the database user account used by the CMS operates with the minimum privileges required, avoiding direct SQL execution rights beyond what the application needs.
Implement input validation to sanitize any data destined for JSON or richText queries, adding an extra layer of protection against injection.

Generated by OpenCVE AI on April 17, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-xx6w-jxg9-2wh8	@payloadcms/drizzle has SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8

History

Fri, 20 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:payloadcms:payload::::::node.js::*

Mon, 09 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Payloadcms Payloadcms payload
Vendors & Products		Payloadcms Payloadcms payload

Fri, 06 Feb 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0.
Title		Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters
Weaknesses		CWE-89
References		https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Payloadcms Payload

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-06T21:07:01.122Z

Updated: 2026-02-09T15:27:26.616Z

Reserved: 2026-02-02T19:59:47.375Z

Link: CVE-2026-25544

Vulnrichment

Updated: 2026-02-09T15:22:50.808Z

NVD

Status : Analyzed

Published: 2026-02-06T22:16:11.597

Modified: 2026-02-20T20:14:42.860

Link: CVE-2026-25544

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object