Nixpkgs Security Tracker

Dismissed

Permalink CVE-2026-25574

5.4 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

updated 1 month, 2 weeks ago by @LeSuisse Activity log

Created automatic suggestion 1 month, 2 weeks ago
@LeSuisse removed
3 packages
- payload_dumper
- payload-dumper-go
- payloadsallthethings
1 month, 2 weeks ago
@LeSuisse dismissed 1 month, 2 weeks ago

Payload Affected by Cross-Collection IDOR in payload-preferences Access Control (Multi-Auth Environments)

Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0.

References

https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955 x_refsource_CONFIRM
https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955 x_refsource_CONFIRM

Affected products

payload

==< 3.74.0

Not present in nixpkgs

Suggestion detail

References

Affected products