平台
nodejs
组件
payloadcms/payload
修复版本
3.73.1
CVE-2026-25544 describes a critical SQL Injection vulnerability discovered in Payload CMS. This flaw allows unauthenticated attackers to directly embed user input into SQL queries when querying JSON or richText fields, bypassing security measures. Successful exploitation can lead to the extraction of sensitive data and complete account compromise. The vulnerability affects versions of Payload CMS prior to 3.73.0, and a patch is available in version 3.73.0.
The impact of CVE-2026-25544 is severe due to the ease of exploitation and the potential for complete account takeover. An attacker can leverage this vulnerability to bypass authentication and directly query the database, extracting sensitive information. Specifically, the vulnerability allows attackers to retrieve emails and password reset tokens, which can then be used to gain unauthorized access to user accounts without needing to crack passwords. This represents a significant data breach risk and could lead to further compromise of the system and its data. The lack of authentication required for exploitation significantly broadens the attack surface.
CVE-2026-25544 was publicly disclosed on 2026-02-06. While no active exploitation campaigns have been publicly confirmed, the vulnerability's ease of exploitation and the potential for significant data compromise make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature.
Organizations using Payload CMS for headless content management, particularly those relying on JSON or richText fields for content storage, are at significant risk. Shared hosting environments where multiple Payload CMS instances share a database are especially vulnerable, as a compromise of one instance could potentially expose data from others. Legacy configurations with outdated security practices are also at increased risk.
• nodejs: Monitor Payload CMS application logs for SQL injection attempts targeting JSON or richText fields. Look for unusual SQL queries containing user-supplied input.
grep -i 'payload cms' /var/log/nginx/error.log | grep -i 'sql injection'• generic web: Use curl to test vulnerable endpoints with SQL injection payloads. Examine the response for error messages or unexpected data.
curl -X POST -d "payload='; DROP TABLE users; --" https://your-payload-cms-site/api/endpoint• database (mysql): Monitor MySQL logs for unusual SQL queries originating from the Payload CMS application. Look for queries containing user-supplied input without proper escaping.
SELECT * FROM mysql.general_log WHERE command_type = 'Query' AND user = 'payload_cms_user';disclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-25544 is to immediately upgrade Payload CMS to version 3.73.0 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter SQL injection attempts targeting JSON and richText fields. Carefully review and sanitize all user inputs before incorporating them into SQL queries. Monitor database logs for suspicious SQL queries that might indicate an ongoing attack. After upgrading, confirm the fix by attempting a SQL injection attack on the affected endpoints and verifying that the input is properly sanitized.
Actualice Payload CMS a la versión 3.73.0 o superior. Esta versión corrige la vulnerabilidad de inyección SQL. Se recomienda realizar una copia de seguridad antes de actualizar.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-25544 is a critical SQL Injection vulnerability affecting Payload CMS versions prior to 3.73.0. It allows attackers to extract sensitive data and potentially take over user accounts.
You are affected if you are using Payload CMS version 3.73.0 or earlier. Immediately check your version and upgrade if necessary.
Upgrade Payload CMS to version 3.73.0 or later. As a temporary workaround, implement a WAF to filter SQL injection attempts.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's ease of exploitation makes it a likely target.
Refer to the official Payload CMS security advisory on their website or GitHub repository for detailed information and updates.