CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-39397

@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.001

EPSS Ranking 15.4%

CVSS Severity

CVSS v3 Score 9.4

References

Products affected by CVE-2026-39397

Delmaredigital » Payload-Puck » Version: 0.1.1

cpe:2.3:a:delmaredigital:payload-puck:0.1.1
Delmaredigital » Payload-Puck » Version: 0.1.2

cpe:2.3:a:delmaredigital:payload-puck:0.1.2
Delmaredigital » Payload-Puck » Version: 0.1.3

cpe:2.3:a:delmaredigital:payload-puck:0.1.3
Delmaredigital » Payload-Puck » Version: 0.2.0

cpe:2.3:a:delmaredigital:payload-puck:0.2.0
Delmaredigital » Payload-Puck » Version: 0.3.0

cpe:2.3:a:delmaredigital:payload-puck:0.3.0
Delmaredigital » Payload-Puck » Version: 0.3.1

cpe:2.3:a:delmaredigital:payload-puck:0.3.1
Delmaredigital » Payload-Puck » Version: 0.4.0

cpe:2.3:a:delmaredigital:payload-puck:0.4.0
Delmaredigital » Payload-Puck » Version: 0.5.0

cpe:2.3:a:delmaredigital:payload-puck:0.5.0
Delmaredigital » Payload-Puck » Version: 0.6.0

cpe:2.3:a:delmaredigital:payload-puck:0.6.0
Delmaredigital » Payload-Puck » Version: 0.6.1

cpe:2.3:a:delmaredigital:payload-puck:0.6.1
Delmaredigital » Payload-Puck » Version: 0.6.10

cpe:2.3:a:delmaredigital:payload-puck:0.6.10
Delmaredigital » Payload-Puck » Version: 0.6.12

cpe:2.3:a:delmaredigital:payload-puck:0.6.12
Delmaredigital » Payload-Puck » Version: 0.6.13

cpe:2.3:a:delmaredigital:payload-puck:0.6.13
Delmaredigital » Payload-Puck » Version: 0.6.14

cpe:2.3:a:delmaredigital:payload-puck:0.6.14
Delmaredigital » Payload-Puck » Version: 0.6.15

cpe:2.3:a:delmaredigital:payload-puck:0.6.15
Delmaredigital » Payload-Puck » Version: 0.6.16

cpe:2.3:a:delmaredigital:payload-puck:0.6.16
Delmaredigital » Payload-Puck » Version: 0.6.17

cpe:2.3:a:delmaredigital:payload-puck:0.6.17
Delmaredigital » Payload-Puck » Version: 0.6.18

cpe:2.3:a:delmaredigital:payload-puck:0.6.18
Delmaredigital » Payload-Puck » Version: 0.6.19

cpe:2.3:a:delmaredigital:payload-puck:0.6.19
Delmaredigital » Payload-Puck » Version: 0.6.2

cpe:2.3:a:delmaredigital:payload-puck:0.6.2
Delmaredigital » Payload-Puck » Version: 0.6.20

cpe:2.3:a:delmaredigital:payload-puck:0.6.20
Delmaredigital » Payload-Puck » Version: 0.6.21

cpe:2.3:a:delmaredigital:payload-puck:0.6.21
Delmaredigital » Payload-Puck » Version: 0.6.22

cpe:2.3:a:delmaredigital:payload-puck:0.6.22
Delmaredigital » Payload-Puck » Version: 0.6.3

cpe:2.3:a:delmaredigital:payload-puck:0.6.3
Delmaredigital » Payload-Puck » Version: 0.6.4

cpe:2.3:a:delmaredigital:payload-puck:0.6.4
Delmaredigital » Payload-Puck » Version: 0.6.5

cpe:2.3:a:delmaredigital:payload-puck:0.6.5
Delmaredigital » Payload-Puck » Version: 0.6.6

cpe:2.3:a:delmaredigital:payload-puck:0.6.6
Delmaredigital » Payload-Puck » Version: 0.6.7

cpe:2.3:a:delmaredigital:payload-puck:0.6.7
Delmaredigital » Payload-Puck » Version: 0.6.8

cpe:2.3:a:delmaredigital:payload-puck:0.6.8
Delmaredigital » Payload-Puck » Version: 0.6.9

cpe:2.3:a:delmaredigital:payload-puck:0.6.9

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-39397

Products

Pricing

Contact Us