EUVD-2026-18013
GHSA-7xxh-373w-35vg
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
4Tags
Description
Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1.
Analysis
SQL injection in Payload CMS versions prior to 3.79.1 allows authenticated attackers to manipulate database queries and exfiltrate or modify collection data. The vulnerability stems from inadequate input validation on request parameters, enabling low-privilege users to craft malicious SQL queries with low attack complexity over the network. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Payload CMS deployments and document current versions; disable or restrict access to Payload CMS instances running versions prior to 3.79.1 if operationally feasible. Within 7 days: Implement database query logging and real-time monitoring for anomalous SQL patterns; restrict CMS user roles to minimum required permissions and audit existing user accounts for unnecessary privilege escalation. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today