EUVD-2026-18013

Payload has an SQL Injection via Query Handling...

CVE-2026-34746

Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery SSRF vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the serve...

PT-2026-29594

Name of the Vulnerable Software and Affected Versions Payload versions prior to 3.79.1 Description A Server-Side Request Forgery SSRF vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make...

TinaCMS 安全漏洞

TinaCMS is an open-source headless CMS for Markdown, MDX, and JSON developed by Tina. Versions of TinaCMS prior to 2.1.8 contained a security vulnerability. This vulnerability stemmed from the TinaCMS CLI development server’s configuration using Vite, which disabled the built-in file system acces...

EUVD-2026-5570

Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data emails, password...

CVE-2025-11260

The WP Headless CMS Framework plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.15. This is due to the plugin only checking for the existence of the Authorization header in a request when determining if the nonce protection should be bypasse...

CVE-2025-11260 WP Headless CMS Framework <= 1.15 - Unauthenticated Protection Mechanism Bypass

The WP Headless CMS Framework plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.15. This is due to the plugin only checking for the existence of the Authorization header in a request when determining if the nonce protection should be bypasse...

EUVD-2025-158258

The WP Headless CMS Framework plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.15. This is due to the plugin only checking for the existence of the Authorization header in a request when determining if the nonce protection should be bypasse...

CVE-2025-11260

The CVE-2025-11260 entry describes a protection mechanism bypass in the WordPress WP Headless CMS Framework plugin (versions up to and including 1.15). The vulnerability arises because the plugin only checks for the presence of the Authorization header to decide whether to bypass nonce protection...

WordPress plugin WP Headless CMS Framework 安全漏洞

The WordPress WP Headless CMS Framework plugin is a tool for converting WordPress to HeadlessCMS Headless Content Management System, separating content management from front-end presentation via RESTAPI or GraphQL interfaces. The WordPress WP Headless CMS Framework plugin suffers from a protectio...

PT-2025-46791

Name of the Vulnerable Software and Affected Versions WP Headless CMS Framework versions up to and including 1.15 Description The WP Headless CMS Framework plugin for WordPress has a flaw where its protection mechanisms can be bypassed. The plugin only verifies the presence of the Authorization...

WordPress WP Headless CMS Framework plugin <= 1.15 - Unauthenticated Protection Mechanism Bypass vulnerability

Unauthenticated Protection Mechanism Bypass vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin WP Headless CMS Framework versions = 1.15...

EUVD-2023-2257

Malicious code in bioql PyPI...

EUVD-2023-2965

Malicious code in bioql PyPI...

EUVD-2023-38286

Malicious code in bioql PyPI...

Payload 授权问题漏洞

Payload is a Headless CMS and application framework built using TypeScript, Node.js, React, and MongoDB. Payload suffers from an authorization issue vulnerability that stems from SQLite adapters reusing identifiers during account creation, which could lead to a session fixation attack...

Payload 代码问题漏洞

Payload is a Headless CMS and application framework built using TypeScript, Node.js, React, and MongoDB. Payload has a code issue vulnerability that stems from JWT not being invalidated after logout, which could lead to token reuse...

CVE-2023-34186

Missing Authorization vulnerability in Imran Sayed Headless CMS.This issue affects Headless CMS: from n/a through 2.0.3...

CVE-2024-39314

toy-blog is a headless content management system implementation. Starting in version 0.4.3 and prior to version 0.5.0, the administrative password was leaked through the command line parameter. The problem was patched in version 0.5.0. As a workaround, pass --read-bearer-token-from-stdin to the...

CVE-2023-34186

Missing Authorization vulnerability in Imran Sayed Headless CMS.This issue affects Headless CMS: from n/a through 2.0.3...