Payload CMS (Node.js) – Support, CVEs & Health

GHSA-26rv-h2hf-3fw4 CVSS_V4

Payload's SQLite adapter Session Fixation vulnerability

Published: 2025-08-29 Fixed in: 3.44.0

GHSA-35jj-vqcf-f2jf CVSS_V3

Hidden fields can be leaked on readable collections in Payload

Published: 2023-04-26 Fixed in: 1.7.0

GHSA-5v66-m237-hwf7 CVSS_V4

Payload does not invalidate JWTs after log out

Published: 2025-08-29 Fixed in: 3.44.0

GHSA-6r7f-q7f5-wpx8 CVSS_V3

Payload has Authenticated SSRF via Upload Functionality

Published: 2026-04-01 Fixed in: 3.79.1

GHSA-7xxh-373w-35vg CVSS_V3

Payload has an SQL Injection via Query Handling

Published: 2026-04-01 Fixed in: 3.79.1

GHSA-hhfx-5x8j-f5f6 CVSS_V3

Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads

Published: 2026-02-24 Fixed in: 3.75.0

GHSA-hp5w-3hxx-vmwf CVSS_V3

Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery

Published: 2026-04-01 Fixed in: 3.79.1

GHSA-jq29-r496-r955 CVSS_V3

payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)

Published: 2026-02-05 Fixed in: 3.74.0

GHSA-p6mr-xf3r-ghq4 CVSS_V3

Payload has a CSRF Protection Bypass in Authentication Flow

Published: 2026-04-01 Fixed in: 3.79.1

GHSA-w8xh-93qh-35vw CVSS_V3

Unrestricted Upload of File with Dangerous Type in Payload

Published: 2022-04-13 Fixed in: 0.15.1

Payload CMS