Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability…

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Payload CMS, a free and open source headless content management system. The vulnerability affects versions prior to 3.79.1 and exists in the upload functionality. Authenticated users with create or update access to upload-enabled collections can exploit this vulnerability to cause the server to make outbound HTTP requests to arbitrary URLs. This could potentially allow attackers to access internal resources, perform port scanning, or interact with services that should not be accessible. The vulnerability requires authentication but can be exploited by users with relatively low privileges. The issue has been addressed and patched in version 3.79.1.