PT-2025-35201 · Pyload+1 · Pyload+1
Arkadiusz Marta
·
Published
2025-08-29
·
Updated
2025-09-02
·
CVE-2025-4644
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Payload versions prior to 3.44.0
Description
A session fixation issue existed in Payload's SQLite adapter due to identifier reuse during account creation. An attacker could create an account, save its JSON Web Token (JWT), delete the account, and then reuse the JWT to authenticate as a subsequent user.
Recommendations
Update to version 3.44.0 or later.
Fix
Session Fixation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pyload
Sqlite