Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/payload@0.14.3-beta.0
Typenpm
Namespace
Namepayload
Version0.14.3-beta.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.79.1
Latest_non_vulnerable_version3.79.1
Affected_by_vulnerabilities
0
url VCID-3141-gxqd-kqgy
vulnerability_id VCID-3141-gxqd-kqgy
summary Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34747
reference_id
reference_type
scores
0
value 0.00032
scoring_system epss
scoring_elements 0.0964
published_at 2026-06-11T12:55:00Z
1
value 0.00032
scoring_system epss
scoring_elements 0.09689
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34747
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34747
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34747
2
reference_url https://github.com/advisories/GHSA-7xxh-373w-35vg
reference_id GHSA-7xxh-373w-35vg
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7xxh-373w-35vg
3
reference_url https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg
reference_id GHSA-7xxh-373w-35vg
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-04T03:07:03Z/
url https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg
4
reference_url https://github.com/payloadcms/payload/releases/tag/v3.79.1
reference_id v3.79.1
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-04T03:07:03Z/
url https://github.com/payloadcms/payload/releases/tag/v3.79.1
fixed_packages
0
url pkg:npm/payload@3.79.1
purl pkg:npm/payload@3.79.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/payload@3.79.1
aliases CVE-2026-34747, GHSA-7xxh-373w-35vg
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3141-gxqd-kqgy
1
url VCID-39jw-2sr1-87de
vulnerability_id VCID-39jw-2sr1-87de
summary Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Version 1.7.0 contains a patch. As a workaround, write a `beforeOperation` hook to remove `where` queries that attempt to access hidden field data.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-30843
reference_id
reference_type
scores
0
value 0.00426
scoring_system epss
scoring_elements 0.62715
published_at 2026-06-11T12:55:00Z
1
value 0.00426
scoring_system epss
scoring_elements 0.62818
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-30843
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-30843
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-30843
2
reference_url https://github.com/advisories/GHSA-35jj-vqcf-f2jf
reference_id GHSA-35jj-vqcf-f2jf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-35jj-vqcf-f2jf
3
reference_url https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf
reference_id GHSA-35jj-vqcf-f2jf
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-03T16:45:52Z/
url https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf
4
reference_url https://github.com/payloadcms/payload/releases/tag/v1.7.0
reference_id v1.7.0
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-03T16:45:52Z/
url https://github.com/payloadcms/payload/releases/tag/v1.7.0
fixed_packages
0
url pkg:npm/payload@1.7.0
purl pkg:npm/payload@1.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3141-gxqd-kqgy
1
vulnerability VCID-4xkq-rzuy-27ex
2
vulnerability VCID-6u79-g63u-uuck
3
vulnerability VCID-91u2-jfua-p3d5
4
vulnerability VCID-bmwv-r1fw-yug5
5
vulnerability VCID-dynz-b2d5-xbge
6
vulnerability VCID-gm16-jjqh-hkg9
7
vulnerability VCID-s61c-8vjz-gbcd
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/payload@1.7.0
aliases CVE-2023-30843, GHSA-35jj-vqcf-f2jf
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-39jw-2sr1-87de
2
url VCID-4xkq-rzuy-27ex
vulnerability_id VCID-4xkq-rzuy-27ex
summary Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34746
reference_id
reference_type
scores
0
value 0.00017
scoring_system epss
scoring_elements 0.04474
published_at 2026-06-11T12:55:00Z
1
value 0.00017
scoring_system epss
scoring_elements 0.04476
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34746
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34746
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34746
2
reference_url https://github.com/advisories/GHSA-6r7f-q7f5-wpx8
reference_id GHSA-6r7f-q7f5-wpx8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6r7f-q7f5-wpx8
3
reference_url https://github.com/payloadcms/payload/security/advisories/GHSA-6r7f-q7f5-wpx8
reference_id GHSA-6r7f-q7f5-wpx8
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:10:39Z/
url https://github.com/payloadcms/payload/security/advisories/GHSA-6r7f-q7f5-wpx8
4
reference_url https://github.com/payloadcms/payload/releases/tag/v3.79.1
reference_id v3.79.1
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:10:39Z/
url https://github.com/payloadcms/payload/releases/tag/v3.79.1
fixed_packages
0
url pkg:npm/payload@3.79.1
purl pkg:npm/payload@3.79.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/payload@3.79.1
aliases CVE-2026-34746, GHSA-6r7f-q7f5-wpx8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4xkq-rzuy-27ex
3
url VCID-6u79-g63u-uuck
vulnerability_id VCID-6u79-g63u-uuck
summary Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34749
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02311
published_at 2026-06-11T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.0231
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34749
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34749
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34749
2
reference_url https://github.com/advisories/GHSA-p6mr-xf3r-ghq4
reference_id GHSA-p6mr-xf3r-ghq4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p6mr-xf3r-ghq4
3
reference_url https://github.com/payloadcms/payload/security/advisories/GHSA-p6mr-xf3r-ghq4
reference_id GHSA-p6mr-xf3r-ghq4
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T14:11:02Z/
url https://github.com/payloadcms/payload/security/advisories/GHSA-p6mr-xf3r-ghq4
4
reference_url https://github.com/payloadcms/payload/releases/tag/v3.79.1
reference_id v3.79.1
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T14:11:02Z/
url https://github.com/payloadcms/payload/releases/tag/v3.79.1
fixed_packages
0
url pkg:npm/payload@3.79.1
purl pkg:npm/payload@3.79.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/payload@3.79.1
aliases CVE-2026-34749, GHSA-p6mr-xf3r-ghq4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6u79-g63u-uuck
4
url VCID-91u2-jfua-p3d5
vulnerability_id VCID-91u2-jfua-p3d5
summary 
Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). 

This issue has been fixed in version 3.44.0 of Payload.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-4643
reference_id
reference_type
scores
0
value 0.0006
scoring_system epss
scoring_elements 0.18951
published_at 2026-06-11T12:55:00Z
1
value 0.0006
scoring_system epss
scoring_elements 0.19116
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-4643
1
reference_url https://github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-4643
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-4643
3
reference_url https://cert.pl/en/posts/2025/08/CVE-2025-4643
reference_id CVE-2025-4643
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:54:20Z/
url https://cert.pl/en/posts/2025/08/CVE-2025-4643
4
reference_url https://github.com/advisories/GHSA-5v66-m237-hwf7
reference_id GHSA-5v66-m237-hwf7
reference_type
scores
url https://github.com/advisories/GHSA-5v66-m237-hwf7
5
reference_url https://github.com/payloadcms/payload
reference_id payload
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:54:20Z/
url https://github.com/payloadcms/payload
6
reference_url https://payloadcms.com
reference_id payloadcms.com
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:54:20Z/
url https://payloadcms.com
fixed_packages
0
url pkg:npm/payload@3.44.0
purl pkg:npm/payload@3.44.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3141-gxqd-kqgy
1
vulnerability VCID-4xkq-rzuy-27ex
2
vulnerability VCID-6u79-g63u-uuck
3
vulnerability VCID-dynz-b2d5-xbge
4
vulnerability VCID-gm16-jjqh-hkg9
5
vulnerability VCID-s61c-8vjz-gbcd
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/payload@3.44.0
aliases CVE-2025-4643, GHSA-5v66-m237-hwf7
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-91u2-jfua-p3d5
5
url VCID-bmwv-r1fw-yug5
vulnerability_id VCID-bmwv-r1fw-yug5
summary 
A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user.

This issue has been fixed in version 3.44.0 of Payload.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-4644
reference_id
reference_type
scores
0
value 0.00088
scoring_system epss
scoring_elements 0.25236
published_at 2026-06-11T12:55:00Z
1
value 0.00088
scoring_system epss
scoring_elements 0.25433
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-4644
1
reference_url https://github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-4644
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-4644
3
reference_url https://cert.pl/en/posts/2025/08/CVE-2025-4643
reference_id CVE-2025-4643
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:53:19Z/
url https://cert.pl/en/posts/2025/08/CVE-2025-4643
4
reference_url https://github.com/advisories/GHSA-26rv-h2hf-3fw4
reference_id GHSA-26rv-h2hf-3fw4
reference_type
scores
url https://github.com/advisories/GHSA-26rv-h2hf-3fw4
5
reference_url https://github.com/payloadcms/payload
reference_id payload
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:53:19Z/
url https://github.com/payloadcms/payload
6
reference_url https://payloadcms.com
reference_id payloadcms.com
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:53:19Z/
url https://payloadcms.com
fixed_packages
0
url pkg:npm/payload@3.44.0
purl pkg:npm/payload@3.44.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3141-gxqd-kqgy
1
vulnerability VCID-4xkq-rzuy-27ex
2
vulnerability VCID-6u79-g63u-uuck
3
vulnerability VCID-dynz-b2d5-xbge
4
vulnerability VCID-gm16-jjqh-hkg9
5
vulnerability VCID-s61c-8vjz-gbcd
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/payload@3.44.0
aliases CVE-2025-4644, GHSA-26rv-h2hf-3fw4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bmwv-r1fw-yug5
6
url VCID-dynz-b2d5-xbge
vulnerability_id VCID-dynz-b2d5-xbge
summary Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25574
reference_id
reference_type
scores
0
value 0.00015
scoring_system epss
scoring_elements 0.02927
published_at 2026-06-11T12:55:00Z
1
value 0.00015
scoring_system epss
scoring_elements 0.02936
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25574
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25574
reference_id CVE-2026-25574
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25574
2
reference_url https://github.com/advisories/GHSA-jq29-r496-r955
reference_id GHSA-jq29-r496-r955
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jq29-r496-r955
3
reference_url https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955
reference_id GHSA-jq29-r496-r955
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:19:22Z/
url https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955
fixed_packages
0
url pkg:npm/payload@3.74.0
purl pkg:npm/payload@3.74.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3141-gxqd-kqgy
1
vulnerability VCID-4xkq-rzuy-27ex
2
vulnerability VCID-6u79-g63u-uuck
3
vulnerability VCID-gm16-jjqh-hkg9
4
vulnerability VCID-s61c-8vjz-gbcd
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/payload@3.74.0
aliases CVE-2026-25574, GHSA-jq29-r496-r955
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dynz-b2d5-xbge
7
url VCID-gm16-jjqh-hkg9
vulnerability_id VCID-gm16-jjqh-hkg9
summary Payload is a free and open source headless content management system. Prior to 3.75.0, a Server-Side Request Forgery (SSRF) vulnerability exists in Payload's external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources. The Payload environment must have at least one collection with `upload` enabled and a user who has `create` access to that upload-enabled collection in order to be vulnerable. An authenticated user with upload collection write permissions could potentially access internal services. Response content from internal services could be retrieved through the application. This vulnerability has been patched in v3.75.0. As a workaround, one may mitigate this vulnerability by disabling external file uploads via the `disableExternalFile` upload collection option, or by restricting `create` access on upload-enabled collections to trusted users only.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27567
reference_id
reference_type
scores
0
value 0.00011
scoring_system epss
scoring_elements 0.0149
published_at 2026-06-12T12:55:00Z
1
value 0.00011
scoring_system epss
scoring_elements 0.01487
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27567
1
reference_url https://github.com/payloadcms/payload/commit/1041bb6
reference_id 1041bb6
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-27T19:03:18Z/
url https://github.com/payloadcms/payload/commit/1041bb6
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27567
reference_id CVE-2026-27567
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27567
3
reference_url https://github.com/advisories/GHSA-hhfx-5x8j-f5f6
reference_id GHSA-hhfx-5x8j-f5f6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hhfx-5x8j-f5f6
4
reference_url https://github.com/payloadcms/payload/security/advisories/GHSA-hhfx-5x8j-f5f6
reference_id GHSA-hhfx-5x8j-f5f6
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-27T19:03:18Z/
url https://github.com/payloadcms/payload/security/advisories/GHSA-hhfx-5x8j-f5f6
5
reference_url https://github.com/payloadcms/payload/releases/tag/v3.75.0
reference_id v3.75.0
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-27T19:03:18Z/
url https://github.com/payloadcms/payload/releases/tag/v3.75.0
fixed_packages
0
url pkg:npm/payload@3.75.0
purl pkg:npm/payload@3.75.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3141-gxqd-kqgy
1
vulnerability VCID-4xkq-rzuy-27ex
2
vulnerability VCID-6u79-g63u-uuck
3
vulnerability VCID-s61c-8vjz-gbcd
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/payload@3.75.0
aliases CVE-2026-27567, GHSA-hhfx-5x8j-f5f6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gm16-jjqh-hkg9
8
url VCID-qsk6-rbud-a7gp
vulnerability_id VCID-qsk6-rbud-a7gp
summary Unrestricted Upload of File with Dangerous Type in Payload
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-27952
reference_id
reference_type
scores
0
value 0.01003
scoring_system epss
scoring_elements 0.77522
published_at 2026-06-12T12:55:00Z
1
value 0.01003
scoring_system epss
scoring_elements 0.77453
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-27952
1
reference_url https://www.youtube.com/watch?v=6CfhAxA3xdQ
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.youtube.com/watch?v=6CfhAxA3xdQ
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-27952
reference_id CVE-2022-27952
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-27952
3
reference_url https://github.com/advisories/GHSA-w8xh-93qh-35vw
reference_id GHSA-w8xh-93qh-35vw
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w8xh-93qh-35vw
fixed_packages
0
url pkg:npm/payload@0.15.1
purl pkg:npm/payload@0.15.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3141-gxqd-kqgy
1
vulnerability VCID-39jw-2sr1-87de
2
vulnerability VCID-4xkq-rzuy-27ex
3
vulnerability VCID-6u79-g63u-uuck
4
vulnerability VCID-91u2-jfua-p3d5
5
vulnerability VCID-bmwv-r1fw-yug5
6
vulnerability VCID-dynz-b2d5-xbge
7
vulnerability VCID-gm16-jjqh-hkg9
8
vulnerability VCID-s61c-8vjz-gbcd
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/payload@0.15.1
aliases CVE-2022-27952, GHSA-w8xh-93qh-35vw
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qsk6-rbud-a7gp
9
url VCID-s61c-8vjz-gbcd
vulnerability_id VCID-s61c-8vjz-gbcd
summary Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue has been patched in version 3.79.1 for @payloadcms/graphql and payload.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34751
reference_id
reference_type
scores
0
value 0.00103
scoring_system epss
scoring_elements 0.27747
published_at 2026-06-11T12:55:00Z
1
value 0.00103
scoring_system epss
scoring_elements 0.27947
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34751
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34751
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34751
2
reference_url https://github.com/advisories/GHSA-hp5w-3hxx-vmwf
reference_id GHSA-hp5w-3hxx-vmwf
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hp5w-3hxx-vmwf
3
reference_url https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf
reference_id GHSA-hp5w-3hxx-vmwf
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-04T03:06:01Z/
url https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf
4
reference_url https://github.com/payloadcms/payload/releases/tag/v3.79.1
reference_id v3.79.1
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-04T03:06:01Z/
url https://github.com/payloadcms/payload/releases/tag/v3.79.1
fixed_packages
0
url pkg:npm/payload@3.79.1
purl pkg:npm/payload@3.79.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/payload@3.79.1
aliases CVE-2026-34751, GHSA-hp5w-3hxx-vmwf
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s61c-8vjz-gbcd
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/payload@0.14.3-beta.0