Summary
uuid@11.x is a transitive dependency of payload, @payloadcms/next, and @payloadcms/ui. A patched version (uuid@14.0.0+) is available but Payload has not yet updated to it.
Vulnerability details
- Snyk ID: SNYK-JS-UUID-16133035
- CVE: CVE-2026-41907
- Package:
uuid@11.1.0 (current in Payload 3.84.1)
- Type: Improper Validation of Specified Index, Position, or Offset in Input
- Fix: Upgrade to
uuid >= 14.0.0
Dependency path
payload@3.84.1 → uuid@11.1.0
@payloadcms/next@3.84.1 → uuid@11.1.0
@payloadcms/ui@3.84.1 → uuid@11.1.0
Request
Please update the uuid dependency to >=14.0.0 in the affected Payload packages. Downstream users cannot safely force-override this without risking breaking Payload's internal ID generation.
Summary
uuid@11.xis a transitive dependency ofpayload,@payloadcms/next, and@payloadcms/ui. A patched version (uuid@14.0.0+) is available but Payload has not yet updated to it.Vulnerability details
uuid@11.1.0(current in Payload 3.84.1)uuid >= 14.0.0Dependency path
Request
Please update the
uuiddependency to>=14.0.0in the affected Payload packages. Downstream users cannot safely force-override this without risking breaking Payload's internal ID generation.