Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40payloadcms/graphql@3.37.0-canary.4
Typenpm
Namespace@payloadcms
Namegraphql
Version3.37.0-canary.4
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.79.1
Latest_non_vulnerable_version3.79.1
Affected_by_vulnerabilities
0
url VCID-561q-1w64-yyhf
vulnerability_id VCID-561q-1w64-yyhf
summary 
Payload's SQLite adapter Session Fixation vulnerability
A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user.

This issue has been fixed in version 3.44.0 of Payload.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-4644
reference_id
reference_type
scores
0
value 0.00088
scoring_system epss
scoring_elements 0.25313
published_at 2026-06-05T12:55:00Z
1
value 0.00088
scoring_system epss
scoring_elements 0.25197
published_at 2026-06-09T12:55:00Z
2
value 0.00088
scoring_system epss
scoring_elements 0.2519
published_at 2026-06-08T12:55:00Z
3
value 0.00088
scoring_system epss
scoring_elements 0.25247
published_at 2026-06-07T12:55:00Z
4
value 0.00088
scoring_system epss
scoring_elements 0.25297
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-4644
1
reference_url https://github.com/payloadcms/payload
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:53:19Z/
url https://github.com/payloadcms/payload
2
reference_url https://github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809
3
reference_url https://cert.pl/en/posts/2025/08/CVE-2025-4643
reference_id CVE-2025-4643
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:53:19Z/
url https://cert.pl/en/posts/2025/08/CVE-2025-4643
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-4644
reference_id CVE-2025-4644
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-4644
5
reference_url https://github.com/advisories/GHSA-26rv-h2hf-3fw4
reference_id GHSA-26rv-h2hf-3fw4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-26rv-h2hf-3fw4
6
reference_url https://payloadcms.com
reference_id payloadcms.com
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:53:19Z/
url https://payloadcms.com
fixed_packages
0
url pkg:npm/%40payloadcms/graphql@3.44.0
purl pkg:npm/%40payloadcms/graphql@3.44.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-yrej-ge5q-y3ah
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540payloadcms/graphql@3.44.0
aliases CVE-2025-4644, GHSA-26rv-h2hf-3fw4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-561q-1w64-yyhf
1
url VCID-qk7y-bukt-wffj
vulnerability_id VCID-qk7y-bukt-wffj
summary 
Payload does not invalidate JWTs after log out
Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed).

This issue has been fixed in version 3.44.0 of Payload.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-4643
reference_id
reference_type
scores
0
value 0.0006
scoring_system epss
scoring_elements 0.18868
published_at 2026-06-09T12:55:00Z
1
value 0.0006
scoring_system epss
scoring_elements 0.18847
published_at 2026-06-08T12:55:00Z
2
value 0.0006
scoring_system epss
scoring_elements 0.18921
published_at 2026-06-07T12:55:00Z
3
value 0.0006
scoring_system epss
scoring_elements 0.1896
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-4643
1
reference_url https://github.com/payloadcms/payload
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:54:20Z/
url https://github.com/payloadcms/payload
2
reference_url https://github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809
3
reference_url https://cert.pl/en/posts/2025/08/CVE-2025-4643
reference_id CVE-2025-4643
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:54:20Z/
url https://cert.pl/en/posts/2025/08/CVE-2025-4643
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-4643
reference_id CVE-2025-4643
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-4643
5
reference_url https://github.com/advisories/GHSA-5v66-m237-hwf7
reference_id GHSA-5v66-m237-hwf7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5v66-m237-hwf7
6
reference_url https://payloadcms.com
reference_id payloadcms.com
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:54:20Z/
url https://payloadcms.com
fixed_packages
0
url pkg:npm/%40payloadcms/graphql@3.44.0
purl pkg:npm/%40payloadcms/graphql@3.44.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-yrej-ge5q-y3ah
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540payloadcms/graphql@3.44.0
aliases CVE-2025-4643, GHSA-5v66-m237-hwf7
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qk7y-bukt-wffj
2
url VCID-yrej-ge5q-y3ah
vulnerability_id VCID-yrej-ge5q-y3ah
summary 
Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery
### Impact

A vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.

Users are affected if:

- They are using Payload version **< v3.79.1** with any auth-enabled collection using the built-in `forgot-password` functionality.

### Patches

Input validation and URL construction in the password recovery flow have been hardened.

Users should upgrade to **v3.79.1** or later.

### Workarounds

There are no complete workarounds. Upgrading to **v3.79.1** is recommended.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34751
reference_id
reference_type
scores
0
value 0.00099
scoring_system epss
scoring_elements 0.27103
published_at 2026-06-06T12:55:00Z
1
value 0.00099
scoring_system epss
scoring_elements 0.27063
published_at 2026-06-07T12:55:00Z
2
value 0.00099
scoring_system epss
scoring_elements 0.27111
published_at 2026-06-05T12:55:00Z
3
value 0.00103
scoring_system epss
scoring_elements 0.2772
published_at 2026-06-09T12:55:00Z
4
value 0.00103
scoring_system epss
scoring_elements 0.27713
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34751
1
reference_url https://github.com/payloadcms/payload
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/payloadcms/payload
2
reference_url https://github.com/payloadcms/payload/releases/tag/v3.79.1
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-04T03:06:01Z/
url https://github.com/payloadcms/payload/releases/tag/v3.79.1
3
reference_url https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-04T03:06:01Z/
url https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34751
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34751
5
reference_url https://github.com/advisories/GHSA-hp5w-3hxx-vmwf
reference_id GHSA-hp5w-3hxx-vmwf
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hp5w-3hxx-vmwf
fixed_packages
0
url pkg:npm/%40payloadcms/graphql@3.79.1
purl pkg:npm/%40payloadcms/graphql@3.79.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540payloadcms/graphql@3.79.1
aliases CVE-2026-34751, GHSA-hp5w-3hxx-vmwf
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yrej-ge5q-y3ah
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540payloadcms/graphql@3.37.0-canary.4