← back
CVE-2026-25544

Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters

CVSS 9.8 CRITICALEPSS 0.5%CWE-89
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.8EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
06 Feb 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
payloadcms · payload

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8