CVE-2026-25544

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25544
Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*
History

20 Feb 2026, 20:14

Type Values Removed Values Added
Summary
  • (es) Payload es un sistema de gestión de contenido 'headless' de código abierto y gratuito. Antes de la versión 3.73.0, al consultar campos JSON o richText, la entrada del usuario se incrustaba directamente en SQL sin escapar, lo que permitía ataques de inyección SQL ciega. Un atacante no autenticado podría extraer datos sensibles (correos electrónicos, tokens de restablecimiento de contraseña) y lograr una toma de control completa de la cuenta sin descifrar contraseñas. Esta vulnerabilidad está corregida en la versión 3.73.0.
References () https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8 - () https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8 - Vendor Advisory
CPE cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*
First Time Payloadcms
Payloadcms payload

06 Feb 2026, 22:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-06 22:16

Updated : 2026-02-20 20:14

NVD link : CVE-2026-25544

Mitre link : CVE-2026-25544

CVE.ORG link : CVE-2026-25544

JSON object : View

Products Affected

payloadcms

  • payload
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')