@payloadcms/graphql (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package @payloadcms/graphql, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (3)
CVE-2026-34751 — CVSS 9.1 (critical): Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a…
CVE-2025-4643: Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or…
CVE-2025-4644: A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker…