Lucene search
K

5 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:12 p.m.8 views

CVE-2026-39397

@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/ CRUD endpoint handlers registered by createPuckPlugin called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The...

9.8CVSS5.5AI score0.00376EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/01 9:24 p.m.5 views

EUVD-2026-18015

@payloadcms/next has Stored XSS in Admin Panel...

8.7CVSS5.9AI score0.00286EPSS
Exploits0References1
CVE
CVE
added 2026/04/01 7:51 p.m.9 views

CVE-2026-34750

Payload CMS is affected by CVE-2026-34750 due to improper sanitization of filenames in client-upload signed-URL endpoints for storage backends (storage-azure, storage-gcs, storage-r2, storage-s3) prior to version 3.78.0. An attacker could craft filenames to escape the intended storage location. A...

6.5CVSS5.8AI score0.00341EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/04/01 6:16 p.m.4 views

CVE-2026-34751

Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue...

9.1CVSS0.00306EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.8 views

PT-2026-29596

Name of the Vulnerable Software and Affected Versions Payload versions prior to 3.78.0 Description Payload is a free and open source headless content management system. A stored Cross-Site Scripting XSS issue existed in the admin panel. An authenticated user with write access to a collection coul...

8.7CVSS6AI score0.00286EPSS
Exploits0References9
Rows per page
Query Builder