This vulnerability is trending on Twitter; this may indicate a growing threat.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade @jhb.software/payload-cloudinary-plugin to version 0.4.0 or higher.
@jhb.software/payload-cloudinary-plugin is a Payload CMS storage adapter for Cloudinary
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the cloudinary-generate-signature endpoint, which forwards attacker-controlled parameters to the signature generation process without proper validation or filtering. An attacker can obtain valid cryptographic signatures for arbitrary Cloudinary API parameters by sending crafted requests as any authenticated user, enabling unauthorized asset replacement, access-control bypass, server-side request forgery, and manipulation of asset storage paths. This is only exploitable if the deployment is configured with clientUploads: true.