An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPayloadcms Payload
APPPayloadcms0.15.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
Related vulnerabilities
CVE-2026-34751CRITICAL9.1PL ✓ten sam produkt
Payload CMS: ominięcie uwierzytelnienia przez podatny przepływ resetowania hasła
CVE-2026-25544CRITICAL9.8PL ✓ten sam produkt
SQL Injection w Payload CMS — przejęcie konta bez uwierzytelnienia
CVE-2026-34747HIGH8.5ten sam produkt
Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request...
CVE-2026-34746HIGH7.7ten sam produkt
Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticate...
CVE-2026-34748HIGH8.7ten sam produkt
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/n...