Search
Search Results (6 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-25574 | 1 Payloadcms | 1 Payload | 2026-02-09 | 5.4 Medium |
| Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0. | ||||
| CVE-2026-25544 | 1 Payloadcms | 1 Payload | 2026-02-09 | 9.8 Critical |
| Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0. | ||||
| CVE-2025-4643 | 1 Payloadcms | 1 Payload | 2025-09-02 | N/A |
| Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). This issue has been fixed in version 3.44.0 of Payload. | ||||
| CVE-2025-4644 | 1 Payloadcms | 1 Payload | 2025-09-02 | N/A |
| A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user. This issue has been fixed in version 3.44.0 of Payload. | ||||
| CVE-2023-30843 | 1 Payloadcms | 1 Payload | 2025-02-03 | 7.4 High |
| Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Version 1.7.0 contains a patch. As a workaround, write a `beforeOperation` hook to remove `where` queries that attempt to access hidden field data. | ||||
| CVE-2022-27952 | 1 Payloadcms | 1 Payload | 2024-11-21 | 9.8 Critical |
| An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file. | ||||
Page 1 of 1.