payloadcms — Vulnerabilities & Security Advisories 10

Browse all 10 CVE security advisories affecting payloadcms. AI-powered Chinese analysis, POCs, and references for each vulnerability.

PayloadCMS is a headless CMS platform enabling content management through API-driven workflows. Historically, it has faced vulnerabilities including remote code execution, cross-site scripting, and privilege escalation, with 10 CVEs documented. Security concerns often stem from improper input validation and access control weaknesses. While no major public security incidents have been widely reported, the consistent presence of CVEs suggests ongoing challenges in secure development. The platform's API-centric architecture introduces unique attack surfaces requiring rigorous input sanitization. Organizations implementing PayloadCMS should prioritize timely patching and harden configurations against common web vulnerabilities, particularly those related to authentication and data handling.

Top products by payloadcms: payload

CVEs 10

CVE ID	Title	CVSS	Severity	Published
CVE-2026-34750	Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints — payloadCWE-22	6.5	Medium	2026-04-01
CVE-2026-34749	Payload has a CSRF Protection Bypass in Authentication Flow — payloadCWE-352	5.4	Medium	2026-04-01
CVE-2026-34748	@payloadcms/next has Stored XSS in Admin Panel — payloadCWE-79	8.7	High	2026-04-01
CVE-2026-34747	Payload has an SQL Injection via Query Handling — payloadCWE-89	8.5	High	2026-04-01
CVE-2026-34746	Payload has Authenticated SSRF via Upload Functionality — payloadCWE-918	7.7	High	2026-04-01
CVE-2026-34751	Payload has Unvalidated Input in Password Recovery Endpoints — payloadCWE-472	9.1	Critical	2026-04-01
CVE-2026-27567	Payload has Server-Side Request Forgery (SSRF) in External File URL Uploads — payloadCWE-918	6.5	Medium	2026-02-24
CVE-2026-25544	Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters — payloadCWE-89	9.8	Critical	2026-02-06
CVE-2026-25574	Payload Affected by Cross-Collection IDOR in payload-preferences Access Control (Multi-Auth Environments) — payloadCWE-639	5.4	Medium	2026-02-06
CVE-2023-30843	Payload's hidden fields can be leaked on readable collections — payloadCWE-200	7.4	High	2023-04-26

This page lists every published CVE security advisory associated with payloadcms. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

payloadcms — Vulnerabilities & Security Advisories 10