CVE-2026-25544 represents a critical vulnerability in the payload component of payloadcms, a free and open-source headless content management system. This vulnerability allows for blind SQL injection attacks due to improper handling of user input when querying JSON or richText fields. The issue exists in versions prior to 3.73.0, where user input was directly embedded into SQL statements without escaping. An attacker can exploit this vulnerability without authentication, extracting sensitive data such as emails and password reset tokens, potentially leading to complete account takeover without the need for password cracking.
The CVSS score for this vulnerability is 9.8, categorizing it as critical. This high severity indicates a significant risk to organizations that utilize the affected versions of payloadcms. Given the potential for unauthorized data access and account takeover, organizations must prioritize remediation efforts.
The vulnerability was published on February 6, 2026, and has since been analyzed, with a fix implemented in version 3.73.0. The urgency for patching is emphasized by the vulnerability's exploitability, which remains critical due to the lack of public exploits or known active exploitation.
Organizations using versions of payloadcms prior to 3.73.0 should take immediate action to update their systems to mitigate the risks associated with this vulnerability.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)