32 matches found
CVE-2026-11779
An Improper Authorization vulnerability exists in PayloadCMS version 3.84.1 due to insufficient access control on the account unlock operation...
CVE-2026-11779
An Improper Authorization vulnerability exists in PayloadCMS version 3.84.1 due to insufficient access control on the account unlock operation...
CVE-2026-11779
Technical details about CVE-2026-11779 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-11779 PayloadCMS 3.84.1 - Authenticated account lockout bypass through default unlock access
An Improper Authorization vulnerability exists in PayloadCMS version 3.84.1 due to insufficient access control on the account unlock operation...
EUVD-2026-39799
An Improper Authorization vulnerability exists in PayloadCMS version 3.84.1 due to insufficient access control on the account unlock operation...
EUVD-2026-19921
@delmaredigital/payload-puc is missing authorization on /api/puck/ CRUD endpoints allows unauthenticated access to Puck-registered collections...
CVE-2026-39397
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/ CRUD endpoint handlers registered by createPuckPlugin called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The...
@ainsleydev/payload-helper (>=0.0.16 <=0.0.20), @contentql/core (>=0.1.2 <=0.3.5) +2 more potentially affected by CVE-2026-34750 via @payloadcms/storage-s3 (>=3.0.0-beta.111 <=3.0.0-beta.91)
@payloadcms/storage-s3 NPM version =3.0.0-beta.111, =0.0.16, =0.1.2, =0.1.0, =0.1.4, =0.1.5 Source cves: CVE-2026-34750 Source advisory: SNYK:JS-PAYLOADCMSSTORAGES3-15873860...
@adenta/cms (>=0.0.6 <=1.1.1-0), @ainsleydev/payload-helper (>=0.0.6 <=0.3.2) +24 more potentially affected by CVE-2026-34747 via @payloadcms/drizzle (>=3.0.0-beta.100 <=3.79.0)
@payloadcms/drizzle NPM version =3.0.0-beta.100, =0.0.6, =0.0.6, =3.22.1, =3.37.0, =1.0.0, =3.53.0, =3.61.1-2, =3.50.0-internal.ca62628, =3.0.0, =3.0.0, =3.0.0, =1.0.1, =1.0.2 and more Source cves: CVE-2026-34747 Source advisory: SNYK:JS-PAYLOADCMSDRIZZLE-15873854...
CVE-2026-34748
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting XSS vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another...
CVE-2026-34748
Summary: CVE-2026-34748 affects the Payload CMS project, specifically the @payloadcms/next package. A stored XSS vulnerability existed in the admin panel prior to version 3.78.0, exploitable by an authenticated user with write access to a collection who saves content that would execute in another...
@adenta/cms (>=0.0.6 <=1.1.1-0), @anjy7/navbar-cms (=0.0.5) +25 more potentially affected by CVE-2026-34751 via @payloadcms/graphql (>=3.0.0-alpha.0 <=3.79.0)
@payloadcms/graphql NPM version =3.0.0-alpha.0, =0.0.6, =0.1.2, =1.0.2, =0.1.0, =3.0.0, =3.2.0, =0.2.0, =3.0.0-beta.10, =1.0.54, =1.0.1, =0.1.0, =0.1.1 and more Source cves: CVE-2026-34751 Source advisory: OSV:GHSA-HP5W-3HXX-VMWF...
@adenta/cms (>=0.0.6 <=1.1.1-0), @anjy7/navbar-cms (=0.0.5) +25 more potentially affected by CVE-2026-34751 via @payloadcms/graphql (>=3.0.0-alpha.0 <=3.79.0)
@payloadcms/graphql NPM version =3.0.0-alpha.0, =0.0.6, =0.1.2, =1.0.2, =0.1.0, =3.0.0, =3.2.0, =0.2.0, =3.0.0-beta.10, =1.0.54, =1.0.1, =0.1.0, =0.1.1 and more Source cves: CVE-2026-34751 Source advisory: SNYK:JS-PAYLOADCMSGRAPHQL-15871107...
SQL Injection
Overview @payloadcms/db-vercel-postgres is a Vercel Postgres adapter for Payload Affected versions of this package are vulnerable to SQL Injection when querying JSON or richText fields. An attacker can extract sensitive information and gain unauthorized access to user accounts by injecting crafte...
@adenta/cms (>=0.0.6 <=1.1.1-0), @ainsleydev/payload-helper (>=0.0.6 <=0.1.2) +23 more potentially affected by CVE-2026-25544 via @payloadcms/drizzle (>=3.0.0-beta.100 <=3.73.0-internal.783bc97)
@payloadcms/drizzle NPM version =3.0.0-beta.100, =0.0.6, =0.0.6, =3.22.1, =3.37.0, =1.0.0, =3.53.0, =3.61.1-2, =3.50.0-internal.ca62628, =3.0.0, =3.0.0, =3.0.0, =1.0.1, =1.0.2 and more Source cves: CVE-2026-25544 Source advisory: OSV:GHSA-XX6W-JXG9-2WH8...
@adenta/cms (>=0.0.6 <=1.1.1-0), @anjy7/navbar-cms (=0.0.5) +21 more potentially affected by CVE-2026-25544 via @payloadcms/next (>=3.0.0-alpha.46 <=3.73.0-internal.783bc97)
@payloadcms/next NPM version =3.0.0-alpha.46, =0.0.6, =0.1.2, =1.0.2, =0.1.0, =3.2.0, =0.2.0, =1.0.54, =0.1.0, =0.1.4, =1.0.0, =0.0.5, =0.0.1, =0.0.4 and more Source cves: CVE-2026-25544 Source advisory: SNYK:JS-PAYLOADCMSNEXT-15240192...
EUVD-2022-1851
Malicious code in bioql PyPI...
@anjy7/navbar-cms (=0.0.5), @contentql/core (>=0.1.2 <=0.3.5) +17 more potentially affected by CVE-2025-4643 +1 more via @payloadcms/graphql (>=3.0.0-alpha.0 <=3.44.0-internal.6b79dc2)
@payloadcms/graphql NPM version =3.0.0-alpha.0, =0.1.2, =0.1.0, =3.0.0, =3.2.0, =0.2.0, =3.0.0-beta.10, =1.0.1, =0.1.0, =0.1.4, =1.0.0, =0.0.5, =0.0.1, =0.0.9-alpha.52, =0.0.5, =1.0.3 and more Source cves: CVE-2025-4643, CVE-2025-4644 Source advisory: OSV:GHSA-26RV-H2HF-3FW4...
@anjy7/navbar-cms (=0.0.5), @contentql/core (>=0.1.2 <=0.3.5) +17 more potentially affected by CVE-2025-4643 via @payloadcms/graphql (>=3.0.0-alpha.0 <=3.44.0-internal.6b79dc2)
@payloadcms/graphql NPM version =3.0.0-alpha.0, =0.1.2, =0.1.0, =3.0.0, =3.2.0, =0.2.0, =3.0.0-beta.10, =1.0.1, =0.1.0, =0.1.4, =1.0.0, =0.0.5, =0.0.1, =0.0.9-alpha.52, =0.0.5, =1.0.3 and more Source cves: CVE-2025-4643 Source advisory: OSV:GHSA-5V66-M237-HWF7...
@anjy7/navbar-cms (=0.0.5), @contentql/core (>=0.1.2 <=0.3.5) +14 more potentially affected by CVE-2025-4643 via @payloadcms/next (>=3.0.0-alpha.46 <=3.44.0-internal.6b79dc2)
@payloadcms/next NPM version =3.0.0-alpha.46, =0.1.2, =0.1.0, =3.2.0, =0.2.0, =0.1.0, =0.1.4, =1.0.0, =0.0.5, =0.0.1, =0.0.9-alpha.52, =0.0.5, =3.0.0-beta.3, =0.0.3, =1.0.0 and more Source cves: CVE-2025-4643 Source advisory: OSV:GHSA-5V66-M237-HWF7...