Description
An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file.
Recommendation
Update the payload package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.15.0
- Patched version(s): 0.15.1
References
Related Issues
- vite allows server.fs.deny bypass via backslash on Windows - CVE-2025-62522
- Vite's `server.fs` settings were not applied to HTML files - CVE-2025-58752
- Payload's SQLite adapter Session Fixation vulnerability (GHSA-26rv-h2hf-3fw4) 2 - CVE-2025-4644
- Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) 2 - CVE-2025-4643
- Tags:
- npm
- payload
Anything's wrong? Let us know Last updated on January 27, 2023