3 matches found
CVE-2026-25574
Payload CMS prior to 3.74.0 is affected by a cross-collection IDOR in the payload-preferences internal collection. In multi-auth environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to ...
CVE-2026-25574 Payload Affected by Cross-Collection IDOR in payload-preferences Access Control (Multi-Auth Environments)
Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference IDOR vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default...
GHSA-JQ29-R496-R955 payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)
Impact A cross-collection Insecure Direct Object Reference IDOR vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and...