Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
22 vulnerabilities found for payload by payloadcms
CVE-2026-34750 (GCVE-0-2026-34750)
Vulnerability from nvd – Published: 2026-04-01 19:51 – Updated: 2026-04-02 15:33
VLAI?
Title
Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints
Summary
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3.
Severity ?
6.5 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.78.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T15:33:26.614791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T15:33:58.886Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.78.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T19:51:59.689Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x"
}
],
"source": {
"advisory": "GHSA-frq9-7j6g-v74x",
"discovery": "UNKNOWN"
},
"title": "Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34750",
"datePublished": "2026-04-01T19:51:59.689Z",
"dateReserved": "2026-03-30T19:17:10.225Z",
"dateUpdated": "2026-04-02T15:33:58.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34749 (GCVE-0-2026-34749)
Vulnerability from nvd – Published: 2026-04-01 19:49 – Updated: 2026-04-06 19:46
VLAI?
Title
Payload has a CSRF Protection Bypass in Authentication Flow
Summary
Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1.
Severity ?
5.4 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.79.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T14:11:02.350739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T19:46:32.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.79.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T19:49:35.934Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-p6mr-xf3r-ghq4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-p6mr-xf3r-ghq4"
},
{
"name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"
}
],
"source": {
"advisory": "GHSA-p6mr-xf3r-ghq4",
"discovery": "UNKNOWN"
},
"title": "Payload has a CSRF Protection Bypass in Authentication Flow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34749",
"datePublished": "2026-04-01T19:49:35.934Z",
"dateReserved": "2026-03-30T19:17:10.224Z",
"dateUpdated": "2026-04-06T19:46:32.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34748 (GCVE-0-2026-34748)
Vulnerability from nvd – Published: 2026-04-01 19:48 – Updated: 2026-04-02 16:24
VLAI?
Title
@payloadcms/next has Stored XSS in Admin Panel
Summary
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0.
Severity ?
8.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.78.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T15:49:07.409157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:24:38.880Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.78.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T19:48:10.297Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c"
}
],
"source": {
"advisory": "GHSA-mmxc-95ch-2j7c",
"discovery": "UNKNOWN"
},
"title": "@payloadcms/next has Stored XSS in Admin Panel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34748",
"datePublished": "2026-04-01T19:48:10.297Z",
"dateReserved": "2026-03-30T19:17:10.224Z",
"dateUpdated": "2026-04-02T16:24:38.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34747 (GCVE-0-2026-34747)
Vulnerability from nvd – Published: 2026-04-01 19:45 – Updated: 2026-04-04 03:07
VLAI?
Title
Payload has an SQL Injection via Query Handling
Summary
Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1.
Severity ?
8.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.79.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34747",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-04T03:07:03.829680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-04T03:07:40.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.79.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T19:45:24.463Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg"
},
{
"name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"
}
],
"source": {
"advisory": "GHSA-7xxh-373w-35vg",
"discovery": "UNKNOWN"
},
"title": "Payload has an SQL Injection via Query Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34747",
"datePublished": "2026-04-01T19:45:24.463Z",
"dateReserved": "2026-03-30T19:17:10.224Z",
"dateUpdated": "2026-04-04T03:07:40.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34746 (GCVE-0-2026-34746)
Vulnerability from nvd – Published: 2026-04-01 19:43 – Updated: 2026-04-02 15:12
VLAI?
Title
Payload has Authenticated SSRF via Upload Functionality
Summary
Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1.
Severity ?
7.7 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.79.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T15:10:39.687505Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T15:12:09.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.79.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T19:43:16.700Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-6r7f-q7f5-wpx8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-6r7f-q7f5-wpx8"
},
{
"name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"
}
],
"source": {
"advisory": "GHSA-6r7f-q7f5-wpx8",
"discovery": "UNKNOWN"
},
"title": "Payload has Authenticated SSRF via Upload Functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34746",
"datePublished": "2026-04-01T19:43:16.700Z",
"dateReserved": "2026-03-30T19:17:10.224Z",
"dateUpdated": "2026-04-02T15:12:09.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34751 (GCVE-0-2026-34751)
Vulnerability from nvd – Published: 2026-04-01 17:42 – Updated: 2026-04-04 03:06
VLAI?
Title
Payload has Unvalidated Input in Password Recovery Endpoints
Summary
Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue has been patched in version 3.79.1 for @payloadcms/graphql and payload.
Severity ?
9.1 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.79.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34751",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-04T03:06:01.663817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-04T03:06:17.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.79.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue has been patched in version 3.79.1 for @payloadcms/graphql and payload."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-472",
"description": "CWE-472: External Control of Assumed-Immutable Web Parameter",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T17:42:45.827Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf"
},
{
"name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"
}
],
"source": {
"advisory": "GHSA-hp5w-3hxx-vmwf",
"discovery": "UNKNOWN"
},
"title": "Payload has Unvalidated Input in Password Recovery Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34751",
"datePublished": "2026-04-01T17:42:45.827Z",
"dateReserved": "2026-03-30T19:17:10.225Z",
"dateUpdated": "2026-04-04T03:06:17.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27567 (GCVE-0-2026-27567)
Vulnerability from nvd – Published: 2026-02-24 14:22 – Updated: 2026-02-27 19:03
VLAI?
Title
Payload has Server-Side Request Forgery (SSRF) in External File URL Uploads
Summary
Payload is a free and open source headless content management system. Prior to 3.75.0, a Server-Side Request Forgery (SSRF) vulnerability exists in Payload's external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources. The Payload environment must have at least one collection with `upload` enabled and a user who has `create` access to that upload-enabled collection in order to be vulnerable. An authenticated user with upload collection write permissions could potentially access internal services. Response content from internal services could be retrieved through the application. This vulnerability has been patched in v3.75.0. As a workaround, one may mitigate this vulnerability by disabling external file uploads via the `disableExternalFile` upload collection option, or by restricting `create` access on upload-enabled collections to trusted users only.
Severity ?
6.5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.75.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27567",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T19:03:18.715822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T19:03:28.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.75.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to 3.75.0, a Server-Side Request Forgery (SSRF) vulnerability exists in Payload\u0027s external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources. The Payload environment must have at least one collection with `upload` enabled and a user who has `create` access to that upload-enabled collection in order to be vulnerable. An authenticated user with upload collection write permissions could potentially access internal services. Response content from internal services could be retrieved through the application. This vulnerability has been patched in v3.75.0. As a workaround, one may mitigate this vulnerability by disabling external file uploads via the `disableExternalFile` upload collection option, or by restricting `create` access on upload-enabled collections to trusted users only."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T14:22:37.803Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-hhfx-5x8j-f5f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-hhfx-5x8j-f5f6"
},
{
"name": "https://github.com/payloadcms/payload/commit/1041bb6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload/commit/1041bb6"
},
{
"name": "https://github.com/payloadcms/payload/releases/tag/v3.75.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload/releases/tag/v3.75.0"
}
],
"source": {
"advisory": "GHSA-hhfx-5x8j-f5f6",
"discovery": "UNKNOWN"
},
"title": "Payload has Server-Side Request Forgery (SSRF) in External File URL Uploads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27567",
"datePublished": "2026-02-24T14:22:37.803Z",
"dateReserved": "2026-02-20T17:40:28.448Z",
"dateUpdated": "2026-02-27T19:03:28.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25574 (GCVE-0-2026-25574)
Vulnerability from nvd – Published: 2026-02-06 21:04 – Updated: 2026-02-09 15:27
VLAI?
Title
Payload Affected by Cross-Collection IDOR in payload-preferences Access Control (Multi-Auth Environments)
Summary
Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0.
Severity ?
5.4 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.74.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25574",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T15:19:22.550674Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T15:27:32.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.74.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T21:04:48.036Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955"
}
],
"source": {
"advisory": "GHSA-jq29-r496-r955",
"discovery": "UNKNOWN"
},
"title": "Payload Affected by Cross-Collection IDOR in payload-preferences Access Control (Multi-Auth Environments)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25574",
"datePublished": "2026-02-06T21:04:48.036Z",
"dateReserved": "2026-02-03T01:02:46.714Z",
"dateUpdated": "2026-02-09T15:27:32.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25544 (GCVE-0-2026-25544)
Vulnerability from nvd – Published: 2026-02-06 21:07 – Updated: 2026-02-09 15:27
VLAI?
Title
Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters
Summary
Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.73.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25544",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T15:22:49.977904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T15:27:26.616Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.73.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T21:07:01.122Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8"
}
],
"source": {
"advisory": "GHSA-xx6w-jxg9-2wh8",
"discovery": "UNKNOWN"
},
"title": "Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25544",
"datePublished": "2026-02-06T21:07:01.122Z",
"dateReserved": "2026-02-02T19:59:47.375Z",
"dateUpdated": "2026-02-09T15:27:26.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-30843 (GCVE-0-2023-30843)
Vulnerability from nvd – Published: 2023-04-26 20:32 – Updated: 2025-02-03 16:45
VLAI?
Title
Payload's hidden fields can be leaked on readable collections
Summary
Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Version 1.7.0 contains a patch. As a workaround, write a `beforeOperation` hook to remove `where` queries that attempt to access hidden field data.
Severity ?
7.4 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 1.7.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:37:15.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf"
},
{
"name": "https://github.com/payloadcms/payload/releases/tag/v1.7.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/payloadcms/payload/releases/tag/v1.7.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T16:45:52.366862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T16:45:55.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Version 1.7.0 contains a patch. As a workaround, write a `beforeOperation` hook to remove `where` queries that attempt to access hidden field data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-26T20:32:54.545Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf"
},
{
"name": "https://github.com/payloadcms/payload/releases/tag/v1.7.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload/releases/tag/v1.7.0"
}
],
"source": {
"advisory": "GHSA-35jj-vqcf-f2jf",
"discovery": "UNKNOWN"
},
"title": "Payload\u0027s hidden fields can be leaked on readable collections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-30843",
"datePublished": "2023-04-26T20:32:54.545Z",
"dateReserved": "2023-04-18T16:13:15.880Z",
"dateUpdated": "2025-02-03T16:45:55.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27952 (GCVE-0-2022-27952)
Vulnerability from nvd – Published: 2022-04-12 16:29 – Updated: 2024-08-03 05:41
VLAI?
Summary
An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:41:11.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/payloadcms/payload"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.youtube.com/watch?v=6CfhAxA3xdQ"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-12T16:29:04.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.youtube.com/watch?v=6CfhAxA3xdQ"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-27952",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/payloadcms/payload",
"refsource": "MISC",
"url": "https://github.com/payloadcms/payload"
},
{
"name": "https://www.youtube.com/watch?v=6CfhAxA3xdQ",
"refsource": "MISC",
"url": "https://www.youtube.com/watch?v=6CfhAxA3xdQ"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-27952",
"datePublished": "2022-04-12T16:29:04.000Z",
"dateReserved": "2022-03-28T00:00:00.000Z",
"dateUpdated": "2024-08-03T05:41:11.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-34750 (GCVE-0-2026-34750)
Vulnerability from cvelistv5 – Published: 2026-04-01 19:51 – Updated: 2026-04-02 15:33
VLAI?
Title
Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints
Summary
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3.
Severity ?
6.5 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.78.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T15:33:26.614791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T15:33:58.886Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.78.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T19:51:59.689Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x"
}
],
"source": {
"advisory": "GHSA-frq9-7j6g-v74x",
"discovery": "UNKNOWN"
},
"title": "Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34750",
"datePublished": "2026-04-01T19:51:59.689Z",
"dateReserved": "2026-03-30T19:17:10.225Z",
"dateUpdated": "2026-04-02T15:33:58.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34749 (GCVE-0-2026-34749)
Vulnerability from cvelistv5 – Published: 2026-04-01 19:49 – Updated: 2026-04-06 19:46
VLAI?
Title
Payload has a CSRF Protection Bypass in Authentication Flow
Summary
Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1.
Severity ?
5.4 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.79.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T14:11:02.350739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T19:46:32.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.79.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T19:49:35.934Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-p6mr-xf3r-ghq4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-p6mr-xf3r-ghq4"
},
{
"name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"
}
],
"source": {
"advisory": "GHSA-p6mr-xf3r-ghq4",
"discovery": "UNKNOWN"
},
"title": "Payload has a CSRF Protection Bypass in Authentication Flow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34749",
"datePublished": "2026-04-01T19:49:35.934Z",
"dateReserved": "2026-03-30T19:17:10.224Z",
"dateUpdated": "2026-04-06T19:46:32.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34748 (GCVE-0-2026-34748)
Vulnerability from cvelistv5 – Published: 2026-04-01 19:48 – Updated: 2026-04-02 16:24
VLAI?
Title
@payloadcms/next has Stored XSS in Admin Panel
Summary
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0.
Severity ?
8.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.78.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T15:49:07.409157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:24:38.880Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.78.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T19:48:10.297Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c"
}
],
"source": {
"advisory": "GHSA-mmxc-95ch-2j7c",
"discovery": "UNKNOWN"
},
"title": "@payloadcms/next has Stored XSS in Admin Panel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34748",
"datePublished": "2026-04-01T19:48:10.297Z",
"dateReserved": "2026-03-30T19:17:10.224Z",
"dateUpdated": "2026-04-02T16:24:38.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34747 (GCVE-0-2026-34747)
Vulnerability from cvelistv5 – Published: 2026-04-01 19:45 – Updated: 2026-04-04 03:07
VLAI?
Title
Payload has an SQL Injection via Query Handling
Summary
Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1.
Severity ?
8.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.79.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34747",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-04T03:07:03.829680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-04T03:07:40.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.79.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T19:45:24.463Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg"
},
{
"name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"
}
],
"source": {
"advisory": "GHSA-7xxh-373w-35vg",
"discovery": "UNKNOWN"
},
"title": "Payload has an SQL Injection via Query Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34747",
"datePublished": "2026-04-01T19:45:24.463Z",
"dateReserved": "2026-03-30T19:17:10.224Z",
"dateUpdated": "2026-04-04T03:07:40.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34746 (GCVE-0-2026-34746)
Vulnerability from cvelistv5 – Published: 2026-04-01 19:43 – Updated: 2026-04-02 15:12
VLAI?
Title
Payload has Authenticated SSRF via Upload Functionality
Summary
Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1.
Severity ?
7.7 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.79.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T15:10:39.687505Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T15:12:09.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.79.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T19:43:16.700Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-6r7f-q7f5-wpx8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-6r7f-q7f5-wpx8"
},
{
"name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"
}
],
"source": {
"advisory": "GHSA-6r7f-q7f5-wpx8",
"discovery": "UNKNOWN"
},
"title": "Payload has Authenticated SSRF via Upload Functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34746",
"datePublished": "2026-04-01T19:43:16.700Z",
"dateReserved": "2026-03-30T19:17:10.224Z",
"dateUpdated": "2026-04-02T15:12:09.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34751 (GCVE-0-2026-34751)
Vulnerability from cvelistv5 – Published: 2026-04-01 17:42 – Updated: 2026-04-04 03:06
VLAI?
Title
Payload has Unvalidated Input in Password Recovery Endpoints
Summary
Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue has been patched in version 3.79.1 for @payloadcms/graphql and payload.
Severity ?
9.1 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.79.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34751",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-04T03:06:01.663817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-04T03:06:17.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.79.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue has been patched in version 3.79.1 for @payloadcms/graphql and payload."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-472",
"description": "CWE-472: External Control of Assumed-Immutable Web Parameter",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T17:42:45.827Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf"
},
{
"name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"
}
],
"source": {
"advisory": "GHSA-hp5w-3hxx-vmwf",
"discovery": "UNKNOWN"
},
"title": "Payload has Unvalidated Input in Password Recovery Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34751",
"datePublished": "2026-04-01T17:42:45.827Z",
"dateReserved": "2026-03-30T19:17:10.225Z",
"dateUpdated": "2026-04-04T03:06:17.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27567 (GCVE-0-2026-27567)
Vulnerability from cvelistv5 – Published: 2026-02-24 14:22 – Updated: 2026-02-27 19:03
VLAI?
Title
Payload has Server-Side Request Forgery (SSRF) in External File URL Uploads
Summary
Payload is a free and open source headless content management system. Prior to 3.75.0, a Server-Side Request Forgery (SSRF) vulnerability exists in Payload's external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources. The Payload environment must have at least one collection with `upload` enabled and a user who has `create` access to that upload-enabled collection in order to be vulnerable. An authenticated user with upload collection write permissions could potentially access internal services. Response content from internal services could be retrieved through the application. This vulnerability has been patched in v3.75.0. As a workaround, one may mitigate this vulnerability by disabling external file uploads via the `disableExternalFile` upload collection option, or by restricting `create` access on upload-enabled collections to trusted users only.
Severity ?
6.5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.75.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27567",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T19:03:18.715822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T19:03:28.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.75.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to 3.75.0, a Server-Side Request Forgery (SSRF) vulnerability exists in Payload\u0027s external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources. The Payload environment must have at least one collection with `upload` enabled and a user who has `create` access to that upload-enabled collection in order to be vulnerable. An authenticated user with upload collection write permissions could potentially access internal services. Response content from internal services could be retrieved through the application. This vulnerability has been patched in v3.75.0. As a workaround, one may mitigate this vulnerability by disabling external file uploads via the `disableExternalFile` upload collection option, or by restricting `create` access on upload-enabled collections to trusted users only."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T14:22:37.803Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-hhfx-5x8j-f5f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-hhfx-5x8j-f5f6"
},
{
"name": "https://github.com/payloadcms/payload/commit/1041bb6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload/commit/1041bb6"
},
{
"name": "https://github.com/payloadcms/payload/releases/tag/v3.75.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload/releases/tag/v3.75.0"
}
],
"source": {
"advisory": "GHSA-hhfx-5x8j-f5f6",
"discovery": "UNKNOWN"
},
"title": "Payload has Server-Side Request Forgery (SSRF) in External File URL Uploads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27567",
"datePublished": "2026-02-24T14:22:37.803Z",
"dateReserved": "2026-02-20T17:40:28.448Z",
"dateUpdated": "2026-02-27T19:03:28.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25544 (GCVE-0-2026-25544)
Vulnerability from cvelistv5 – Published: 2026-02-06 21:07 – Updated: 2026-02-09 15:27
VLAI?
Title
Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters
Summary
Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.73.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25544",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T15:22:49.977904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T15:27:26.616Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.73.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T21:07:01.122Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8"
}
],
"source": {
"advisory": "GHSA-xx6w-jxg9-2wh8",
"discovery": "UNKNOWN"
},
"title": "Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25544",
"datePublished": "2026-02-06T21:07:01.122Z",
"dateReserved": "2026-02-02T19:59:47.375Z",
"dateUpdated": "2026-02-09T15:27:26.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25574 (GCVE-0-2026-25574)
Vulnerability from cvelistv5 – Published: 2026-02-06 21:04 – Updated: 2026-02-09 15:27
VLAI?
Title
Payload Affected by Cross-Collection IDOR in payload-preferences Access Control (Multi-Auth Environments)
Summary
Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0.
Severity ?
5.4 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 3.74.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25574",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T15:19:22.550674Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T15:27:32.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 3.74.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T21:04:48.036Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955"
}
],
"source": {
"advisory": "GHSA-jq29-r496-r955",
"discovery": "UNKNOWN"
},
"title": "Payload Affected by Cross-Collection IDOR in payload-preferences Access Control (Multi-Auth Environments)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25574",
"datePublished": "2026-02-06T21:04:48.036Z",
"dateReserved": "2026-02-03T01:02:46.714Z",
"dateUpdated": "2026-02-09T15:27:32.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-30843 (GCVE-0-2023-30843)
Vulnerability from cvelistv5 – Published: 2023-04-26 20:32 – Updated: 2025-02-03 16:45
VLAI?
Title
Payload's hidden fields can be leaked on readable collections
Summary
Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Version 1.7.0 contains a patch. As a workaround, write a `beforeOperation` hook to remove `where` queries that attempt to access hidden field data.
Severity ?
7.4 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| payloadcms | payload |
Affected:
< 1.7.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:37:15.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf"
},
{
"name": "https://github.com/payloadcms/payload/releases/tag/v1.7.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/payloadcms/payload/releases/tag/v1.7.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T16:45:52.366862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T16:45:55.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "payload",
"vendor": "payloadcms",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Version 1.7.0 contains a patch. As a workaround, write a `beforeOperation` hook to remove `where` queries that attempt to access hidden field data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-26T20:32:54.545Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf"
},
{
"name": "https://github.com/payloadcms/payload/releases/tag/v1.7.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload/releases/tag/v1.7.0"
}
],
"source": {
"advisory": "GHSA-35jj-vqcf-f2jf",
"discovery": "UNKNOWN"
},
"title": "Payload\u0027s hidden fields can be leaked on readable collections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-30843",
"datePublished": "2023-04-26T20:32:54.545Z",
"dateReserved": "2023-04-18T16:13:15.880Z",
"dateUpdated": "2025-02-03T16:45:55.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27952 (GCVE-0-2022-27952)
Vulnerability from cvelistv5 – Published: 2022-04-12 16:29 – Updated: 2024-08-03 05:41
VLAI?
Summary
An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:41:11.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/payloadcms/payload"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.youtube.com/watch?v=6CfhAxA3xdQ"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-12T16:29:04.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/payloadcms/payload"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.youtube.com/watch?v=6CfhAxA3xdQ"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-27952",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/payloadcms/payload",
"refsource": "MISC",
"url": "https://github.com/payloadcms/payload"
},
{
"name": "https://www.youtube.com/watch?v=6CfhAxA3xdQ",
"refsource": "MISC",
"url": "https://www.youtube.com/watch?v=6CfhAxA3xdQ"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-27952",
"datePublished": "2022-04-12T16:29:04.000Z",
"dateReserved": "2022-03-28T00:00:00.000Z",
"dateUpdated": "2024-08-03T05:41:11.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}