EXECUTIVE SUMMARY:
CVE-2026-25544 is a critical vulnerability in the open-source headless content management system Payload CMS, carrying a CVSS score of 9.8 (Critical) that allows remote exploitation without authentication. The flaw arises from a blind SQL injection in how Payload CMS constructs SQL queries for JSON and richText fields when using Drizzle-based database adapters such as PostgreSQL or SQLite. Specifically, user input is embedded directly into SQL commands without proper escaping, enabling attackers to manipulate queries. This issue affects all installations running Payload CMS versions earlier than 3.73.0. An unauthenticated attacker can leverage the injection to extract sensitive data such as emails or password reset tokens from the database. Once an admin’s reset token is stolen, the attacker can effectively take over administrative accounts without cracking passwords.
RECOMMENDATION:
We strongly recommend you update Payload CMS to version 3.73.0 or later.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/cve-2026-25544-critical-payload-cms-sqli-cvss-9-8-exposes-admin-tokens/