CNNVD-202602-941 Information
CNNVD ID
CNNVD-202602-941
Related CVE
- CNNVD Published: 2026-02-06
Description (Chinese)
Payload是一个使用 TypeScript、Node.js、React 和 MongoDB 构建的 Headless CMS 和应用程序框架。 Payload 3.74.0之前版本存在安全漏洞,该漏洞源于payload-preferences内部集合存在跨集合不安全的直接对象引用漏洞,在使用默认序列或自增ID的多身份验证集合环境中,来自一个身份验证集合的经过身份验证的用户可以在其数字ID冲突时读取和删除属于不同身份验证集合用户的偏好设置。
Description (English)
Payload is a Headless CMS and application framework built using TypeScript, Node.js, React and MongoDB. The pre-Payload 3.74.0 version contains a security loophole, which stems from the direct object reference gap in the internal collections of Payload-preferences that cross the pool of unsafe subjects, and in a multi-identification assembly environment using default sequences or self-additional IDs, an identified user from an identification pool can read and delete preferences that belong to different identification pools when his digital ID conflicts.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
个人开发者
Published
2026-02-06
Last Modified
2026-02-24
References
https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955 https://access.redhat.com/security/cve/cve-2026-25574
Patch
https://github.com/payloadcms/payload/releases
Share on: