CVE-2026-25544 CRITICAL

CVE-2026-25544: Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters

Vendor Payloadcms

Product payload

Weakness CWE-89 · SQLi

Published February 6, 2026

Last update February 9, 2026

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0.

Key dates

02Disclosure timeline

February 6, 2026 CVE published

February 9, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-25544 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

CVE-2026-25544: Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters

01Description

02Disclosure timeline

03References

04Related CVE