Vendor
A critical vulnerability in @delmaredigital/payload-puck versions prior to 0.6.23 allows attackers to bypass collection-level access controls in PayloadCMS via the /api/puck/* endpoints due to improper access configuration, leading to unauthorized data manipulation.