Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40payloadcms/next@3.20.0-canary.9f2bca1
Typenpm
Namespace@payloadcms
Namenext
Version3.20.0-canary.9f2bca1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.78.0
Latest_non_vulnerable_version3.78.0
Affected_by_vulnerabilities
0
url VCID-561q-1w64-yyhf
vulnerability_id VCID-561q-1w64-yyhf
summary 
Payload's SQLite adapter Session Fixation vulnerability
A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user.

This issue has been fixed in version 3.44.0 of Payload.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-4644
reference_id
reference_type
scores
0
value 0.00088
scoring_system epss
scoring_elements 0.25313
published_at 2026-06-05T12:55:00Z
1
value 0.00088
scoring_system epss
scoring_elements 0.25197
published_at 2026-06-09T12:55:00Z
2
value 0.00088
scoring_system epss
scoring_elements 0.2519
published_at 2026-06-08T12:55:00Z
3
value 0.00088
scoring_system epss
scoring_elements 0.25247
published_at 2026-06-07T12:55:00Z
4
value 0.00088
scoring_system epss
scoring_elements 0.25297
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-4644
1
reference_url https://github.com/payloadcms/payload
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:53:19Z/
url https://github.com/payloadcms/payload
2
reference_url https://github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809
3
reference_url https://cert.pl/en/posts/2025/08/CVE-2025-4643
reference_id CVE-2025-4643
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:53:19Z/
url https://cert.pl/en/posts/2025/08/CVE-2025-4643
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-4644
reference_id CVE-2025-4644
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-4644
5
reference_url https://github.com/advisories/GHSA-26rv-h2hf-3fw4
reference_id GHSA-26rv-h2hf-3fw4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-26rv-h2hf-3fw4
6
reference_url https://payloadcms.com
reference_id payloadcms.com
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:53:19Z/
url https://payloadcms.com
fixed_packages
0
url pkg:npm/%40payloadcms/next@3.44.0
purl pkg:npm/%40payloadcms/next@3.44.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-59p4-ezpr-vugc
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540payloadcms/next@3.44.0
aliases CVE-2025-4644, GHSA-26rv-h2hf-3fw4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-561q-1w64-yyhf
1
url VCID-59p4-ezpr-vugc
vulnerability_id VCID-59p4-ezpr-vugc
summary 
@payloadcms/next has Stored XSS in Admin Panel
### Impact

A stored Cross-site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser.

Consumers are affected if ALL of these are true:

- Payload version **< v3.78.0**
- At least one collection with versions enabled
- An authenticated user has `create` or `update` access to that collection

### Patches

This vulnerability has been patched in **v3.78.0**. Output encoding has been added to prevent user-supplied content from being interpreted as markup.

Users should upgrade to **v3.78.0** or later.

### Workarounds

If consumers cannot upgrade immediately:

- Restrict `create` and `update` access to versioned collections to trusted roles only.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34748
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02677
published_at 2026-06-05T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.0263
published_at 2026-06-07T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02684
published_at 2026-06-06T12:55:00Z
3
value 0.00016
scoring_system epss
scoring_elements 0.0385
published_at 2026-06-09T12:55:00Z
4
value 0.00016
scoring_system epss
scoring_elements 0.0383
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34748
1
reference_url https://github.com/payloadcms/payload
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/payloadcms/payload
2
reference_url https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34748
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34748
4
reference_url https://github.com/advisories/GHSA-mmxc-95ch-2j7c
reference_id GHSA-mmxc-95ch-2j7c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mmxc-95ch-2j7c
fixed_packages
0
url pkg:npm/%40payloadcms/next@3.78.0
purl pkg:npm/%40payloadcms/next@3.78.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540payloadcms/next@3.78.0
aliases CVE-2026-34748, GHSA-mmxc-95ch-2j7c
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-59p4-ezpr-vugc
2
url VCID-qk7y-bukt-wffj
vulnerability_id VCID-qk7y-bukt-wffj
summary 
Payload does not invalidate JWTs after log out
Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed).

This issue has been fixed in version 3.44.0 of Payload.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-4643
reference_id
reference_type
scores
0
value 0.0006
scoring_system epss
scoring_elements 0.18868
published_at 2026-06-09T12:55:00Z
1
value 0.0006
scoring_system epss
scoring_elements 0.18847
published_at 2026-06-08T12:55:00Z
2
value 0.0006
scoring_system epss
scoring_elements 0.18921
published_at 2026-06-07T12:55:00Z
3
value 0.0006
scoring_system epss
scoring_elements 0.1896
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-4643
1
reference_url https://github.com/payloadcms/payload
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:54:20Z/
url https://github.com/payloadcms/payload
2
reference_url https://github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809
3
reference_url https://cert.pl/en/posts/2025/08/CVE-2025-4643
reference_id CVE-2025-4643
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:54:20Z/
url https://cert.pl/en/posts/2025/08/CVE-2025-4643
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-4643
reference_id CVE-2025-4643
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-4643
5
reference_url https://github.com/advisories/GHSA-5v66-m237-hwf7
reference_id GHSA-5v66-m237-hwf7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5v66-m237-hwf7
6
reference_url https://payloadcms.com
reference_id payloadcms.com
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-29T11:54:20Z/
url https://payloadcms.com
fixed_packages
0
url pkg:npm/%40payloadcms/next@3.44.0
purl pkg:npm/%40payloadcms/next@3.44.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-59p4-ezpr-vugc
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540payloadcms/next@3.44.0
aliases CVE-2025-4643, GHSA-5v66-m237-hwf7
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qk7y-bukt-wffj
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540payloadcms/next@3.20.0-canary.9f2bca1