Please report any security issues or concerns to info@payloadcms.com.
Security: payloadcms/payload
Security
SECURITY.md
-
Unvalidated Input in Password Recovery EndpointsGHSA-hp5w-3hxx-vmwf published
Mar 30, 2026 by denolfeCritical -
Insufficient Filename Validation in Client-Upload Signed-URL EndpointsGHSA-frq9-7j6g-v74x published
Mar 30, 2026 by denolfeModerate -
CSRF Protection Bypass in Authentication FlowGHSA-p6mr-xf3r-ghq4 published
Mar 30, 2026 by denolfeModerate -
Authenticated SSRF via Upload FunctionalityGHSA-6r7f-q7f5-wpx8 published
Mar 30, 2026 by denolfeHigh -
Stored XSS in Admin PanelGHSA-mmxc-95ch-2j7c published
Mar 30, 2026 by denolfeHigh -
SQL Injection via Query HandlingGHSA-7xxh-373w-35vg published
Mar 30, 2026 by denolfeHigh -
Server-Side Request Forgery (SSRF) in External File URL UploadsGHSA-hhfx-5x8j-f5f6 published
Feb 23, 2026 by denolfeModerate -
Cross-Collection IDOR in payload-preferences Access Control (Multi-Auth Environments)GHSA-jq29-r496-r955 published
Feb 5, 2026 by denolfeModerate -
SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite AdaptersGHSA-xx6w-jxg9-2wh8 published
Feb 5, 2026 by denolfeCritical -
Hidden fields can be leaked on readable collectionsGHSA-35jj-vqcf-f2jf published
Apr 26, 2023 by denolfeHigh
Learn more about advisories related to payloadcms/payload in the GitHub Advisory Database