← Voltar para CVEs
CVE-2026-25574
MEDIUM5.4
Descricao
Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0.
Detalhes CVE
Pontuacao CVSS v3.15.4
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado2/6/2026
Ultima modificacao2/20/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
payloadcms:payload
Fraquezas (CWE)
CWE-639
Referencias
https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.