{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25544", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T19:59:47.375Z", "datePublished": "2026-02-06T21:07:01.122Z", "dateUpdated": "2026-02-09T15:27:26.616Z"}, "containers": {"cna": {"title": "Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8"}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"version": "< 3.73.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T21:07:01.122Z"}, "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0."}], "source": {"advisory": "GHSA-xx6w-jxg9-2wh8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T15:22:49.977904Z", "id": "CVE-2026-25544", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:27:26.616Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25544", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-09T15:22:49.977904Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:22:50.808Z"}}], "cna": {"title": "Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters", "source": {"advisory": "GHSA-xx6w-jxg9-2wh8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"status": "affected", "version": "< 3.73.0"}]}], "references": [{"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8", "name": "https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T21:07:01.122Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25544", "state": "PUBLISHED", "dateUpdated": "2026-02-09T15:27:26.616Z", "dateReserved": "2026-02-02T19:59:47.375Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T21:07:01.122Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D8DFE235-8E7F-495B-B4A1-B7B6EDD2A988", "versionEndExcluding": "3.73.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0."}, {"lang": "es", "value": "Payload es un sistema de gesti\u00f3n de contenido 'headless' de c\u00f3digo abierto y gratuito. Antes de la versi\u00f3n 3.73.0, al consultar campos JSON o richText, la entrada del usuario se incrustaba directamente en SQL sin escapar, lo que permit\u00eda ataques de inyecci\u00f3n SQL ciega. Un atacante no autenticado podr\u00eda extraer datos sensibles (correos electr\u00f3nicos, tokens de restablecimiento de contrase\u00f1a) y lograr una toma de control completa de la cuenta sin descifrar contrase\u00f1as. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 3.73.0."}], "id": "CVE-2026-25544", "lastModified": "2026-02-20T20:14:42.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-06T22:16:11.597", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:24:28.829430+00:00", "value": {"mitigation_remediation": ["Upgrade PayloadCMS to version 3.73.0 or later, where the injection issue is fixed.", "If an immediate upgrade is not possible, remove or limit access to JSON and richText fields in external query interfaces to prevent injection attempts.", "Ensure the database user account used by the CMS operates with the minimum privileges required, avoiding direct SQL execution rights beyond what the application needs.", "Implement input validation to sanitize any data destined for JSON or richText queries, adding an extra layer of protection against injection."], "summary": {"action": "Apply patch", "impact": "Full account takeover via blind SQL injection"}, "threat_synthesis": {"affected_systems": "Versions of PayloadCMS below 3.73.0 are affected. The vulnerability applies to the PayloadCMS open\u2011source headless CMS, which typically runs on a Node.js runtime and relies on PostgreSQL or SQLite adapters for data storage. All installations of PayloadCMS that have not upgraded past version 3.73.0 are potentially exposed.", "description_and_impact": "A blind SQL injection flaw exists in the PayloadCMS headless content management system when querying JSON or richText fields. User-supplied input is inserted directly into PostgreSQL or SQLite SQL statements without proper escaping, allowing an attacker to reveal sensitive information such as email addresses and password reset tokens. Because the vulnerability is unauthenticated, the compromised data can be used to take over user accounts without needing to guess or crack passwords. The weakness corresponds to CWE-89, representing an injection attack.", "risk_and_exploitability": "The CVSS score is 9.8, indicating a critical severity level. However, the EPSS score is less than 1\u202f%, implying a very low probability of exploitation in the wild at present. The vulnerability is not listed in the CISA KEV catalog, but because it permits full account takeover, the impact to confidentiality, integrity, and availability is high. Attackers exploit it by sending crafted JSON or richText queries to the CMS without authenticating, extracting data and hijacking accounts through the revealed credentials."}}}}, "created": "2026-02-09T10:49:32.712797+00:00", "updated": "2026-04-17T22:30:29.594528+00:00", "vendors": ["payloadcms", "payloadcms$PRODUCT$payload"]}