Blind SQL Injection Vulnerability in Payload CMS by Payload
CVE-2026-25544

9.8CRITICAL

Key Information:

Vendor: Payloadcms
Status: Payload
Vendor: CVE Published:; 6 February 2026

What is CVE-2026-25544?

A blind SQL injection vulnerability was identified in Payload CMS prior to version 3.73.0. Attackers exploiting this flaw can manipulate user input in JSON or richText fields, allowing SQL commands to be executed directly on the database without proper escaping. This oversight can lead to unauthorized access to sensitive information, including user emails and password reset tokens, enabling full account takeovers without the need for password cracking. Users are strongly encouraged to upgrade to version 3.73.0 to mitigate this risk.

Affected Version(s)

payload < 3.73.0

References

https://github.com/payloadcms/payload/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 6, 2026
Vulnerability Reserved
Feb 2, 2026

CVE-2026-25544 Data

JSON

Payloadcms

What is CVE-2026-25544?

Affected Version(s)

References

CVSS V3.1

Timeline