Skip to main content

Payload

9 CVEs product

Monthly

CVE-2026-34749 npm MEDIUM PATCH GHSA This Month

Payload CMS versions prior to 3.79.1 contain a cross-site request forgery (CSRF) vulnerability in the authentication flow that allows attackers to bypass configured CSRF protections and perform unauthorized actions on behalf of authenticated users. The vulnerability requires user interaction (clicking a malicious link) but affects all unauthenticated network-accessible instances. No public exploit code or active exploitation has been identified at the time of analysis.

CSRF Payload
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34748 npm HIGH PATCH GHSA This Week

Stored Cross-Site Scripting (XSS) in Payload CMS versions prior to 3.78.0 allows authenticated users with write permissions to inject malicious scripts into content that execute in other users' browsers when viewed in the admin panel. The vulnerability requires low privilege access (PR:L) and user interaction (UI:R), enabling attackers to compromise admin accounts with high confidentiality and integrity impact due to scope change (S:C). CVSS score of 8.7 reflects the elevated risk from privileged position abuse. No public exploit identified at time of analysis, though the technical details are publicly documented in GitHub Security Advisory GHSA-mmxc-95ch-2j7c.

XSS Payload
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-34747 npm HIGH PATCH GHSA This Week

SQL injection in Payload CMS versions prior to 3.79.1 allows authenticated attackers to manipulate database queries and exfiltrate or modify collection data. The vulnerability stems from inadequate input validation on request parameters, enabling low-privilege users to craft malicious SQL queries with low attack complexity over the network. No public exploit identified at time of analysis. EPSS risk data not available, but the CVSS score of 8.5 with scope change (S:C) indicates potential for significant impact beyond the vulnerable component.

SQLi Payload
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-34746 npm HIGH PATCH GHSA This Week

Server-Side Request Forgery in Payload CMS versions prior to 3.79.1 allows authenticated users with upload permissions to force the server to make HTTP requests to arbitrary URLs, potentially exposing internal network resources and sensitive data. The vulnerability affects the upload functionality and enables information disclosure with high confidentiality impact. CVSS score of 7.7 reflects network-accessible attack vector with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though the vulnerability requires only basic authenticated access to upload-enabled collections.

SSRF Payload
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-27567 npm MEDIUM PATCH This Month

Payload CMS prior to v3.75.0 contains a Server-Side Request Forgery vulnerability in its external file upload feature that allows authenticated users with upload collection permissions to access internal network resources by exploiting insufficient HTTP redirect validation. An attacker could retrieve sensitive response content from internal services accessible to the Payload server. A patch is available in version 3.75.0.

SSRF Payload
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25574 npm MEDIUM PATCH This Month

Cross-collection IDOR in Payload CMS before v3.74.0 allows authenticated users to read and delete preferences from other authentication collections when numeric user IDs overlap in PostgreSQL or SQLite deployments. This vulnerability affects multi-auth environments where default auto-increment IDs create collisions across separate user collections. An attacker with valid credentials in one authentication domain can access and manipulate sensitive preference data belonging to users in different authentication domains.

PostgreSQL SQLi Payload
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25544 npm CRITICAL PATCH Act Now

Payload CMS prior to 3.73.0 has a SQL injection vulnerability when querying structured data, enabling database compromise on the headless CMS.

SQLi Payload
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2023-30843 npm MEDIUM PATCH This Month

Payload is a free and open source headless content management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Payload
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-27952 npm CRITICAL POC PATCH Act Now

An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Payload
NVD GitHub
CVSS 3.1
9.8
EPSS
2.2%
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Payload CMS versions prior to 3.79.1 contain a cross-site request forgery (CSRF) vulnerability in the authentication flow that allows attackers to bypass configured CSRF protections and perform unauthorized actions on behalf of authenticated users. The vulnerability requires user interaction (clicking a malicious link) but affects all unauthenticated network-accessible instances. No public exploit code or active exploitation has been identified at the time of analysis.

CSRF Payload
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored Cross-Site Scripting (XSS) in Payload CMS versions prior to 3.78.0 allows authenticated users with write permissions to inject malicious scripts into content that execute in other users' browsers when viewed in the admin panel. The vulnerability requires low privilege access (PR:L) and user interaction (UI:R), enabling attackers to compromise admin accounts with high confidentiality and integrity impact due to scope change (S:C). CVSS score of 8.7 reflects the elevated risk from privileged position abuse. No public exploit identified at time of analysis, though the technical details are publicly documented in GitHub Security Advisory GHSA-mmxc-95ch-2j7c.

XSS Payload
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

SQL injection in Payload CMS versions prior to 3.79.1 allows authenticated attackers to manipulate database queries and exfiltrate or modify collection data. The vulnerability stems from inadequate input validation on request parameters, enabling low-privilege users to craft malicious SQL queries with low attack complexity over the network. No public exploit identified at time of analysis. EPSS risk data not available, but the CVSS score of 8.5 with scope change (S:C) indicates potential for significant impact beyond the vulnerable component.

SQLi Payload
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Server-Side Request Forgery in Payload CMS versions prior to 3.79.1 allows authenticated users with upload permissions to force the server to make HTTP requests to arbitrary URLs, potentially exposing internal network resources and sensitive data. The vulnerability affects the upload functionality and enables information disclosure with high confidentiality impact. CVSS score of 7.7 reflects network-accessible attack vector with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though the vulnerability requires only basic authenticated access to upload-enabled collections.

SSRF Payload
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Payload CMS prior to v3.75.0 contains a Server-Side Request Forgery vulnerability in its external file upload feature that allows authenticated users with upload collection permissions to access internal network resources by exploiting insufficient HTTP redirect validation. An attacker could retrieve sensitive response content from internal services accessible to the Payload server. A patch is available in version 3.75.0.

SSRF Payload
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-collection IDOR in Payload CMS before v3.74.0 allows authenticated users to read and delete preferences from other authentication collections when numeric user IDs overlap in PostgreSQL or SQLite deployments. This vulnerability affects multi-auth environments where default auto-increment IDs create collisions across separate user collections. An attacker with valid credentials in one authentication domain can access and manipulate sensitive preference data belonging to users in different authentication domains.

PostgreSQL SQLi Payload
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Payload CMS prior to 3.73.0 has a SQL injection vulnerability when querying structured data, enabling database compromise on the headless CMS.

SQLi Payload
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Payload is a free and open source headless content management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Payload
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Payload
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy