47 matches found
CVE-2026-39397 @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/ CRUD endpoint handlers registered by createPuckPlugin called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The...
CVE-2026-39397 @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/ CRUD endpoint handlers registered by createPuckPlugin called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The...
CVE-2026-39397
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/ CRUD endpoint handlers registered by createPuckPlugin called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The...
CVE-2026-34750
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize...
CVE-2026-34751
Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue...
CVE-2026-34748
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting XSS vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another...
@01.software/sdk (>=0.0.1-251008.90016 <=0.2.3), @adenta/cms (>=0.0.6 <=1.1.1-0) +32 more potentially affected by CVE-2026-34750 via payload (>=3.0.0-alpha.46 <=3.78.0-internal.5219978)
payload NPM version =3.0.0-alpha.46, =0.0.1-251008.90016, =0.0.6, =0.0.3, =1.0.1-beta.0, =1.0.0, =0.1.0, =1.0.0, =1.0.0, =3.64.0, =0.0.1-beta.0, =0.2.0, =0.2.14 - @remy90/payload-conditions-plugin =0.2.2 and more Source cves: CVE-2026-34750 Source advisory: SNYK:JS-PAYLOAD-15873857...
Server-side Request Forgery (SSRF)
Overview payload is a Node, React and MongoDB Headless CMS and Application Framework Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the upload endpoint. An attacker can cause the server to initiate unauthorized outbound HTTP requests to arbitrary URLs by...
Cross-site Request Forgery (CSRF)
Overview payload is a Node, React and MongoDB Headless CMS and Application Framework Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the authentication flow when serverURL is configured. An attacker can perform unauthorized actions on behalf of authenticate...
@01.software/sdk (>=0.0.1-251022.145258 <=0.2.3), @adenta/cms (>=0.0.6 <=1.1.1-0) +75 more potentially affected by CVE-2026-34748 via @payloadcms/ui (>=3.0.0-alpha.0 <=3.78.0-internal.5219978)
@payloadcms/ui NPM version =3.0.0-alpha.0, =0.0.1-251022.145258, =0.0.6, =3.70.0, =0.0.3, =3.39.2, =1.0.1-beta.3, =0.1.2, =0.0.1, =1.0.0, =0.1.0, =0.1.2, =1.0.0, =1.1.29 and more Source cves: CVE-2026-34748 Source advisory: SNYK:JS-PAYLOADCMSUI-15873862...
@adenta/cms (>=0.0.6 <=1.1.1-0), @anjy7/navbar-cms (=0.0.5) +21 more potentially affected by CVE-2026-34748 via @payloadcms/next (>=3.0.0-alpha.46 <=3.78.0-internal.5219978)
@payloadcms/next NPM version =3.0.0-alpha.46, =0.0.6, =0.1.2, =1.0.2, =0.1.0, =3.2.0, =0.2.0, =1.0.54, =0.1.0, =0.1.4, =1.0.0, =0.0.5, =0.0.1, =0.0.4 and more Source cves: CVE-2026-34748 Source advisory: OSV:GHSA-MMXC-95CH-2J7C...
@payloadcms/next has Stored XSS in Admin Panel
Impact A stored Cross-site Scripting XSS vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. Consumers are affected if ALL of these are true: - Payload version v3.78...
GHSA-MMXC-95CH-2J7C @payloadcms/next has Stored XSS in Admin Panel
Impact A stored Cross-site Scripting XSS vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. Consumers are affected if ALL of these are true: - Payload version v3.78...
SQL Injection
Overview @payloadcms/drizzle is an A library of shared functions used by different payload database adapters Affected versions of this package are vulnerable to SQL Injection via the endpoints accepting dynamic query for Collections. An attacker can access sensitive information or modify data by...
CVE-2026-34750
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize...
CVE-2026-34750 Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize...
CVE-2026-34750 Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize...
CVE-2026-34749
The CVE-2026-34749 entry concerns Payload CMS (headless CMS). A CSRF vulnerability existed in the authentication flow prior to version 3.79.1, where under certain conditions the configured CSRF protection could be bypassed, allowing cross-site requests. The issue has been fixed in version 3.79.1....
CVE-2026-34749 Payload has a CSRF Protection Bypass in Authentication Flow
Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery CSRF vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. Th...
CVE-2026-34748 @payloadcms/next has Stored XSS in Admin Panel
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting XSS vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another...