Platform
nodejs
Component
payloadcms/payload
Fixed in
3.73.1
CVE-2026-25544 describes a critical SQL Injection vulnerability discovered in Payload CMS. This flaw allows unauthenticated attackers to directly embed user input into SQL queries when querying JSON or richText fields, bypassing security measures. Successful exploitation can lead to the extraction of sensitive data and complete account compromise. The vulnerability affects versions of Payload CMS prior to 3.73.0, and a patch is available in version 3.73.0.
The impact of CVE-2026-25544 is severe due to the ease of exploitation and the potential for complete account takeover. An attacker can leverage this vulnerability to bypass authentication and directly query the database, extracting sensitive information. Specifically, the vulnerability allows attackers to retrieve emails and password reset tokens, which can then be used to gain unauthorized access to user accounts without needing to crack passwords. This represents a significant data breach risk and could lead to further compromise of the system and its data. The lack of authentication required for exploitation significantly broadens the attack surface.
CVE-2026-25544 was publicly disclosed on 2026-02-06. While no active exploitation campaigns have been publicly confirmed, the vulnerability's ease of exploitation and the potential for significant data compromise make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25544 is to immediately upgrade Payload CMS to version 3.73.0 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter SQL injection attempts targeting JSON and richText fields. Carefully review and sanitize all user inputs before incorporating them into SQL queries. Monitor database logs for suspicious SQL queries that might indicate an ongoing attack. After upgrading, confirm the fix by attempting a SQL injection attack on the affected endpoints and verifying that the input is properly sanitized.
Actualice Payload CMS a la versión 3.73.0 o superior. Esta versión corrige la vulnerabilidad de inyección SQL. Se recomienda realizar una copia de seguridad antes de actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25544 is a critical SQL Injection vulnerability affecting Payload CMS versions prior to 3.73.0. It allows attackers to extract sensitive data and potentially take over user accounts.
You are affected if you are using Payload CMS version 3.73.0 or earlier. Immediately check your version and upgrade if necessary.
Upgrade Payload CMS to version 3.73.0 or later. As a temporary workaround, implement a WAF to filter SQL injection attempts.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's ease of exploitation makes it a likely target.
Refer to the official Payload CMS security advisory on their website or GitHub repository for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.