Skip to main content

Payloadcms

1 CVEs product

Monthly

CVE-2026-11779 MEDIUM This Month

Improper authorization in PayloadCMS 3.84.1 allows low-privilege authenticated users to invoke the account unlock operation without sufficient access control, effectively bypassing the brute-force lockout mechanism protecting other user accounts. Reported by Fluid Attacks, this flaw has both a confidentiality and integrity dimension: attackers can disclose account state information and manipulate the lock status of accounts they do not own. No public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Payloadcms
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper authorization in PayloadCMS 3.84.1 allows low-privilege authenticated users to invoke the account unlock operation without sufficient access control, effectively bypassing the brute-force lockout mechanism protecting other user accounts. Reported by Fluid Attacks, this flaw has both a confidentiality and integrity dimension: attackers can disclose account state information and manipulate the lock status of accounts they do not own. No public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Payloadcms
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy