CVE-2026-25544
📋 TL;DR
This is a critical SQL injection vulnerability in Payload CMS versions before 3.73.0 that allows unauthenticated attackers to extract sensitive data and achieve full account takeover. The vulnerability affects all systems running vulnerable Payload CMS instances where JSON or richText fields are queried. Attackers can steal emails, password reset tokens, and other sensitive information without password cracking.
💻 Affected Systems
- Payload CMS
📦 What is this software?
Payload by Payloadcms
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts, extraction of all sensitive data from the database, and potential server takeover if database permissions allow.
Likely Case
Extraction of user emails, password reset tokens, and authentication data leading to account takeover of administrators and users.
If Mitigated
Limited impact if proper input validation and WAF rules are in place, but SQL injection could still bypass some controls.
🎯 Exploit Status
SQL injection is well-understood with many automated tools available. The advisory confirms unauthenticated exploitation is possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.73.0
Vendor Advisory: https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8
Restart Required: Yes
Instructions:
1. Backup your database and application files. 2. Update Payload CMS to version 3.73.0 or later using npm: 'npm update payload@^3.73.0'. 3. Restart your Payload CMS application. 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Middleware
allImplement custom middleware to validate and sanitize all user input before processing JSON or richText field queries.
WAF Rule Implementation
allDeploy web application firewall rules to detect and block SQL injection attempts targeting JSON or richText endpoints.
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all JSON and richText field operations.
- Deploy a web application firewall with SQL injection detection rules and restrict access to vulnerable endpoints.
🔍 How to Verify
Check if Vulnerable:
Check your package.json or run 'npm list payload' to see if version is below 3.73.0.Check Version:
npm list payload | grep payloadVerify Fix Applied:
After updating, verify version is 3.73.0 or higher with 'npm list payload' and test that JSON/richText field queries no longer accept unescaped SQL.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in application logs
- Multiple failed login attempts after password reset token extraction
- Unexpected database queries from JSON/richText endpoints
Network Indicators:
- SQL syntax in HTTP POST/GET parameters to JSON endpoints
- Unusual patterns of requests to /api/ endpoints with SQL keywords
SIEM Query:
source="application.logs" AND ("SELECT" OR "UNION" OR "INSERT" OR "UPDATE") AND ("json" OR "richText")