Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 2 npm packages depend on payload (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.79.1.
DescriptionGitHub Advisory
Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1.
AnalysisAI
SQL injection in Payload CMS versions prior to 3.79.1 allows authenticated attackers to manipulate database queries and exfiltrate or modify collection data. The vulnerability stems from inadequate input validation on request parameters, enabling low-privilege users to craft malicious SQL queries with low attack complexity over the network. No public exploit identified at time of analysis. EPSS risk data not available, but the CVSS score of 8.5 with scope change (S:C) indicates potential for significant impact beyond the vulnerable component.
Technical ContextAI
Payload is a headless content management system built on Node.js that provides API-first content management capabilities. This vulnerability represents a classic SQL injection flaw (CWE-89) where user-controlled input from HTTP requests is incorporated into SQL queries without proper sanitization or parameterization. The affected component processes request inputs that directly influence SQL query construction for database operations on collections (Payload's term for content types/tables). The scope change designation in the CVSS vector (S:C) suggests the vulnerability may allow attackers to access resources beyond the immediate vulnerable component, potentially affecting the underlying database or other collections not intended for the authenticated user's access level. Affected product CPE would be cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:* with versions below 3.79.1.
RemediationAI
Upgrade immediately to Payload CMS version 3.79.1, which contains the vendor-released patch addressing the SQL injection vulnerability. Download the patched release from the official GitHub repository at https://github.com/payloadcms/payload/releases/tag/v3.79.1 and follow standard upgrade procedures for Node.js applications, including dependency updates via npm or yarn package managers. Review the security advisory at https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg for additional context. No workarounds are documented; upgrading to the patched version is the only complete remediation. Organizations unable to upgrade immediately should implement compensating controls including restricting authenticated user access, monitoring database query logs for suspicious patterns, deploying web application firewalls with SQL injection signatures, and limiting network access to the CMS administrative interfaces to trusted IP ranges.
An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbit
Payload CMS prior to 3.73.0 has a SQL injection vulnerability when querying structured data, enabling database compromis
Stored Cross-Site Scripting (XSS) in Payload CMS versions prior to 3.78.0 allows authenticated users with write permissi
Server-Side Request Forgery in Payload CMS versions prior to 3.79.1 allows authenticated users with upload permissions t
Payload CMS prior to v3.75.0 contains a Server-Side Request Forgery vulnerability in its external file upload feature th
Payload is a free and open source headless content management system. Rated medium severity (CVSS 6.5), this vulnerabili
Payload CMS versions prior to 3.79.1 contain a cross-site request forgery (CSRF) vulnerability in the authentication flo
Cross-collection IDOR in Payload CMS before v3.74.0 allows authenticated users to read and delete preferences from other
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18013
GHSA-7xxh-373w-35vg