CNNVD-202602-940 Information

CNNVD ID

CNNVD-202602-940

Related CVE

CVE-2026-25544

• CNNVD Published: 2026-02-06

Description (Chinese)

Payload是一个使用 TypeScript、Node.js、React 和 MongoDB 构建的 Headless CMS 和应用程序框架。 Payload 3.73.0之前版本存在SQL注入漏洞，该漏洞源于查询JSON或richText字段时，用户输入未经转义直接嵌入SQL，可能导致SQL注入攻击。

Description (English)

Payload is a Headless CMS and application framework built using TypeScript, Node.js, React and MongoDB. The pre-Payload 3.73.0 version had an injection loophole in SQL, which originated when searching the JSON or richText fields, and the user entered it directly and untransferred into SQL, which could lead to an SQL injection attack.

Hazard Level

High

Vulnerability Type

SQL注入

Affected Vendor

个人开发者

Published

2026-02-06

Last Modified

2026-02-24

References

https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8 https://access.redhat.com/security/cve/cve-2026-25544

Patch

https://github.com/payloadcms/payload/releases