Payload
CVE-2026-25544
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 5 npm packages depend on @payloadcms/drizzle (4 direct, 1 indirect)
Ecosystem-wide dependent count for version 3.73.0.
DescriptionGitHub Advisory
Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0.
AnalysisAI
Payload CMS prior to 3.73.0 has a SQL injection vulnerability when querying structured data, enabling database compromise on the headless CMS.
Technical ContextAI
Payload CMS < 3.73.0 has a CWE-89 SQL injection vulnerability when processing structured queries against the content database.
RemediationAI
Update Payload CMS to 3.73.0+.
An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbit
Stored Cross-Site Scripting (XSS) in Payload CMS versions prior to 3.78.0 allows authenticated users with write permissi
SQL injection in Payload CMS versions prior to 3.79.1 allows authenticated attackers to manipulate database queries and
Server-Side Request Forgery in Payload CMS versions prior to 3.79.1 allows authenticated users with upload permissions t
Payload CMS prior to v3.75.0 contains a Server-Side Request Forgery vulnerability in its external file upload feature th
Payload is a free and open source headless content management system. Rated medium severity (CVSS 6.5), this vulnerabili
Payload CMS versions prior to 3.79.1 contain a cross-site request forgery (CSRF) vulnerability in the authentication flo
Cross-collection IDOR in Payload CMS before v3.74.0 allows authenticated users to read and delete preferences from other
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xx6w-jxg9-2wh8