Ddos 
A massive security hole has been blown open in Payload, the popular “Next.js native CMS” designed to live directly inside application folders. The vulnerability, tracked as CVE-2026-25544, carries a critical CVSS score of 9.8, allowing unauthenticated attackers to perform blind SQL injection attacks and potentially take over administrative accounts.
For developers who chose Payload to power their headless architecture, this news serves as a critical call to action: patch now, or risk losing your data.
The vulnerability resides in how Payload handles queries for specific data types when using Drizzle-based database adapters (specifically PostgreSQL and SQLite). The system failed to properly sanitize user input when querying JSON or richText fields.
The advisory explains the technical failure: “When querying JSON or rich Text fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks”.
This means an attacker doesn’t need a password or a login token. By crafting a specific query against a public collection, they can trick the database into revealing information it shouldn’tβbit by bit.
The stakes for this vulnerability are incredibly high because of what can be stolen. It isn’t just about reading a few blog posts; it’s about the keys to the castle.
“An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking,” the report warns.
With a stolen password reset token, an attacker can simply reset the administrator’s password, log in, and have full control over the CMS and its content.
Not every Payload installation is at risk. The vulnerability specifically targets configurations that meet three criteria:
- Version: You are running a version of Payload less than v3.73.0.
- Database: You are using a Drizzle-based adapter, such as @payloadcms/db-postgres, @payloadcms/db-vercel-postgres, @payloadcms/db-sqlite, or @payloadcms/db-d1-sqlite.
- Schema: You have at least one collection with a json or richText field that is readable by the public (where access.read is not false).
Notably, users relying on the MongoDB adapter (@payloadcms/db-mongodb) are safe from this specific exploit.
The maintainers have released a fix in Payload v3.73.0. Upgrading to this version or later immediately resolves the issue.
For teams that cannot upgrade right away, there is a temporary workaround, though it comes at a cost to functionality. Administrators can lock down the vulnerable fields by adding “access: { read: () => false } to all JSON and richText fields”. This effectively hides those fields from queries, blocking the attack vector until a proper patch can be applied.
Related Posts:
- WordPress Releases Urgent Security Patch β Update Immediately!
- CISA Adds 5 Actively Exploited Vulnerabilities to KEV Catalog: ASUS Routers, Craft CMS, and ConnectWise Targeted
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
