Description
An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file.
Recommendation
Update the payload package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.15.0
- Patched version(s): 0.15.1
References
Related Issues
- Vite's `server.fs` settings were not applied to HTML files - CVE-2025-58752
- Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) 2 - CVE-2025-4643
- OpenPGP.js's message signature verification can be spoofed - CVE-2025-47934
- Trix editor subject to XSS vulnerabilities on copy & paste - CVE-2024-53847
- Tags:
- npm
- payload
Anything's wrong? Let us know Last updated on January 27, 2023