EUVD-2026-18011
GHSA-6r7f-q7f5-wpx8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
4Tags
Description
Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1.
Analysis
Server-Side Request Forgery in Payload CMS versions prior to 3.79.1 allows authenticated users with upload permissions to force the server to make HTTP requests to arbitrary URLs, potentially exposing internal network resources and sensitive data. The vulnerability affects the upload functionality and enables information disclosure with high confidentiality impact. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Payload CMS deployments and their current versions; immediately audit and restrict upload permissions to only trusted administrators. Within 7 days: Prepare environment for upgrade to Payload CMS version 3.79.1 or later in a staging environment; test thoroughly before production deployment. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today