Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite...

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0.

AI Analysis

SQL injection vulnerability in Payload CMS allowing unauthenticated attackers to extract sensitive data and achieve full account takeover.

Basic Information

ID CVE-2026-25544

Source GitHub_M

Published Feb 6, 2026 at 21:07

Affected Product

Vendor payloadcms

Product payload

Version < 3.73.0

Affected Versions payloadcms payload < 3.73.0

CWE Classification

CWE-89

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor PayloadCMS

Product Payload

Version < 3.73.0

References

github.com /payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8

{
    "lastseen": "",
    "description": "Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0.",
    "published": "2026-02-06T21:07:01.122Z",
    "modified": "2026-02-06T21:07:01.122Z",
    "type": "cve",
    "title": "Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters",
    "source": "GitHub_M",
    "references": "https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8",
    "id": "CVE-2026-25544",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "payloadcms payload < 3.73.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "payload",
    "version": "< 3.73.0",
    "vendor": "payloadcms",
    "ai_description": "SQL injection vulnerability in Payload CMS allowing unauthenticated attackers to extract sensitive data and achieve full account takeover.",
    "ai_severity": "Critical",
    "ai_vendor": "PayloadCMS",
    "ai_product": "Payload",
    "ai_version": "< 3.73.0",
    "ai_score": 9.8
}

Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters_CVE-2026-25544