Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package payload, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (10)
CVE-2022-27952 — CVSS 9.8 (critical): An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a…
CVE-2026-34751 — CVSS 9.1 (critical): Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a…
CVE-2026-34747 — CVSS 8.5 (high): Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly…
CVE-2026-34746 — CVSS 7.7 (high): Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery…
CVE-2023-30843 — CVSS 7.4 (high): Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that…
CVE-2026-27567 — CVSS 6.5 (medium): Payload is a free and open source headless content management system. Prior to 3.75.0, a Server-Side Request Forgery (SSRF) vulnerability…
CVE-2025-4643: Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or…
CVE-2026-25574 — CVSS 5.4 (medium): Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference…
CVE-2026-34749 — CVSS 5.4 (medium): Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF)…
CVE-2025-4644: A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker…