Improper Access Control

@delmaredigital/payload-puck is vulnerable to Improper Access Control. The vulnerability is due to the use of Payload's local API with overrideAccess: true in /api/puck/ CRUD endpoints, which allows an attacker to bypass collection-level access controls and perform unauthorized actions...

Missing Authorization

Overview @delmaredigital/payload-puck is a Puck visual page builder plugin for Payload CMS Affected versions of this package are vulnerable to Missing Authorization via the createPuckPlugin function. An attacker can gain unauthorized access to sensitive data and perform unauthorized modifications...

PT-2026-31018

Name of the Vulnerable Software and Affected Versions @delmaredigital/payload-puck versions prior to 0.6.23 Description The @delmaredigital/payload-puck plugin for PayloadCMS, a visual page builder integration, had a critical issue where access control was bypassed. Specifically, all CRUD endpoin...

payload-puck 安全漏洞

Payload-puck is a visualization page building plugin developed by Delmare Digital. Versions of payload-puck prior to 0.6.23 contained security vulnerabilities. These vulnerabilities stemmed from the CRUD endpoint handler bypassing all collection-level access controls...