@payloadcms/drizzle has SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters
- Severity:
- High
Description
When querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL Injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking.
Users are affected if ALL of these are true:
1.
Recommendation
Update the @payloadcms/drizzle package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.73.0
- Patched version(s): 3.73.0
References
Related Issues
- Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. - CVE-2026-33442
- Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
- Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter - CVE-2026-33539
- SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`. - CVE-2026-32763
- Tags:
- npm
- @payloadcms/drizzle
Anything's wrong? Let us know Last updated on February 07, 2026