2 matches found
CVE-2026-39397
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/ CRUD endpoint handlers registered by createPuckPlugin called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The...
PT-2026-31018
Name of the Vulnerable Software and Affected Versions @delmaredigital/payload-puck versions prior to 0.6.23 Description The @delmaredigital/payload-puck plugin for PayloadCMS, a visual page builder integration, had a critical issue where access control was bypassed. Specifically, all CRUD endpoin...