VulniosVulnios
All Threat Alerts
criticalCVE Alert
CVE-2026-39397

Critical Vulnerability: CVE-2026-39397 — delmaredigital — payload-puck

@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.

Wednesday, April 15, 2026delmaredigitalVulnios Threat Intelligence
Share:

Executive Summary

@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.

Why It Matters

CVE-2026-39397 is rated CRITICAL severity, requiring immediate attention from security teams.

CVSS Base Score: 9.4/10

EPSS (Exploit Prediction): 0.1% probability of exploitation in the next 30 days.

Affected Technologies

Vendors: delmaredigital

Products: payload-puck

🛡️What Defenders Should Check

  • Check if you are affected — Review your asset inventory for products listed in CVE-2026-39397.
  • Apply available patches — Visit vendor advisories for the latest security updates.
  • Monitor for exploitation — Check your SIEM/IDS logs for related indicators.

    • Use Vulnios to continuously monitor your exposure to CVE-2026-39397 and similar vulnerabilities.

    References & Sources

  • https://github.com/delmaredigital/payload-puck/commit/9148201c6bbfa140d44546438027a2f8a70f79a4
  • https://github.com/delmaredigital/payload-puck/issues/7
  • https://github.com/delmaredigital/payload-puck/security/advisories/GHSA-65w6-pf7x-5g85

    • AI Security Advisor

    Powered by Gemini

    Get AI-powered security recommendations tailored to this specific threat — including risk assessment, detection guidance, MITRE ATT&CK mapping, and actionable remediation steps.

    Affected Products

    payload-puck

    Sources

    critical

    Protect Your Organization

    Monitor CVEs, scan for vulnerabilities, and get real-time threat alerts — all in one platform.

    Get Started FreeFree Security ScanOSINT Dashboard

    Get instant alerts on Telegram

    Join our public channel for real-time critical CVE alerts.

    Follow @vulnios