@payloadcms/drizzle has SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters

Severity:: High

Description

When querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL Injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking.

Users are affected if ALL of these are true:

Recommendation

Update the @payloadcms/drizzle package to the latest compatible version. Followings are version details:

Affected version(s): < 3.73.0
Patched version(s): 3.73.0

References

GHSA-xx6w-jxg9-2wh8
CVE-2026-25544
CWE-89
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter - CVE-2026-33539
Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. - CVE-2026-33442
Drizzle ORM has SQL injection via improperly escaped SQL identifiers - CVE-2026-39356

44 New SQL Injection Tests for WordPress in SmartScanner 1.8

How do hackers hack websites?

Update Cheat Sheet for Developers

Tags:: npm; @payloadcms/drizzle

Anything's wrong? Let us know Last updated on February 07, 2026