Every CVE whose affected-product data names Payloadcms Payload, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (11)
CVE-2026-25544 — CVSS 9.8 (critical): Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input…
CVE-2022-27952 — CVSS 9.8 (critical): An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a…
CVE-2026-34751 — CVSS 9.1 (critical): Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a…
CVE-2026-34748 — CVSS 8.7 (high): Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site…
CVE-2026-34747 — CVSS 8.5 (high): Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly…
CVE-2026-34746 — CVSS 7.7 (high): Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery…
CVE-2023-30843 — CVSS 7.4 (high): Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that…
CVE-2026-27567 — CVSS 6.5 (medium): Payload is a free and open source headless content management system. Prior to 3.75.0, a Server-Side Request Forgery (SSRF) vulnerability…
CVE-2026-34750 — CVSS 6.5 (medium): Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure…
CVE-2026-34749 — CVSS 5.4 (medium): Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF)…
CVE-2026-25574 — CVSS 5.4 (medium): Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference…