payload

v3.85.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 8d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

cms content-management content-management-system express graphql headless

+11 more

headless-cms jamstack javascript mongodb nextjs nodejs payload payloadcms postgresql react typescript

ReleasePort's take

Moderate signal

editorial:auto 8d

The plugin‑import‑export package graduates from beta and now offers collection‑ and field‑level hooks.

Why it matters: Enables finer‑grained extensibility for import/export workflows in PayloadCMS.

Summary

AI summary

Broad release touches 🐛 Bug Fixes, 🤝 Contributors, 📚 Documentation, and 🚀 Features.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	bump mongoose to 8.22.1 for CVE‑GHSA‑wpg9‑53fq‑2r8h bump mongoose to 8.22.1 for CVE‑GHSA‑wpg9‑53fq‑2r8h Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Medium	plugin-import-export graduates from beta, adds collection‑ and field‑level hooks plugin-import-export graduates from beta, adds collection‑ and field‑level hooks Source: llm_adapter@2026-05-26 Confidence: high	—
Dependency	Low	bump uuid package to version 13.0.2 bump uuid package to version 13.0.2 Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix
Bugfix	Medium	stop workflows from retrying forever when no retries are configured stop workflows from retrying forever when no retries are configured Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	propagate custom hook errors during upload in plugin‑cloud‑storage propagate custom hook errors during upload in plugin‑cloud‑storage Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	preserve user‑defined prefix.defaultValue in plugin‑cloud‑storage preserve user‑defined prefix.defaultValue in plugin‑cloud‑storage Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	deduplicate filename in clientUploads signed URL of plugin‑cloud‑storage deduplicate filename in clientUploads signed URL of plugin‑cloud‑storage Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	make tenant field unselectable in bulk upload “Edit all” of plugin‑multi‑tenant make tenant field unselectable in bulk upload “Edit all” of plugin‑multi‑tenant Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	prevent cursor from being kicked out of nested richtext while typing in a block prevent cursor from being kicked out of nested richtext while typing in a block Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	fix drag/drop image failure in richtext when field name matches collection slug fix drag/drop image failure in richtext when field name matches collection slug Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Low	bulk upload now correctly counts failed files as not saved bulk upload now correctly counts failed files as not saved Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	respect formatDocURL returning null in ListDrawer UI component respect formatDocURL returning null in ListDrawer UI component Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Bugfix	Low	show all listSearchableFields in ListDrawer search placeholder show all listSearchableFields in ListDrawer search placeholder Source: granite4.1:30b@2026-05-26-audit Confidence: low	—

Full changelog

v3.85.0 (2026-05-26)

🚀 Features

plugin-import-export: out of beta and added support for collection-level and field-level hooks (#16556) (cf9252d)

🐛 Bug Fixes

bump uuid package to 13.0.2 (#16545) (274af06)
stop workflows retrying forever when no retries are configured (#16465) (caf9150)
db-mongodb: bump mongoose to 8.22.1 for GHSA-wpg9-53fq-2r8h (#16688) (4baba91)
plugin-cloud-storage: propagate custom hook errors during upload (#16632) (055c508)
plugin-cloud-storage: preserve user-defined prefix.defaultValue (#16529) (8d14915)
plugin-cloud-storage: dedupe filename in clientUploads signed URL (#16510) (64b2860)
plugin-multi-tenant: tenant field unselectable in bulk upload "Edit all" (#16466) (695df3c)
richtext-lexical: cursor kicked out of nested richtext while typing in a block (#16490) (931a349)
richtext-lexical: drag/drop image into rich text fails when a field name matches the collection slug (#16409) (d6f7b47)
ui: bulk upload silently counts failed files as saved (#16532) (c31f4ef)
ui: respect formatDocURL returning null in ListDrawer (#16464) (0facc44)
ui: show all listSearchableFields in ListDrawer search placeholder (#16467) (3cd4a64)

📚 Documentation

fix links in admin faq (#16711) (7e4f7af)
adds relevant videos to docs sections (#16516) (d17298f)

📝 Templates

bumps next.js to 16.2.6 (#16538) (9b36063)

⚙️ CI

use postgres 15 for content api tests (#16706) (99d4930)

🏡 Chores

deps: bump nodemailer minimum version to 8.0.5 (#16664) (efa4afe)

🤝 Contributors

Sean Zubrickas (@zubricks)
German Jablonski (@GermanJablo)
Jake Fletcher (@jacobsfletch)
Paul (@paulpopus)
Alessio Gravili (@AlessioGr)

Security Fixes

db-mongodb: bump mongoose to 8.22.1 for GHSA-wpg9-53fq-2r8h (CVE not explicitly stated)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track payload

Get notified when new releases ship.

About payload

Payload is the open-source, fullstack Next.js framework, giving you instant backend superpowers. Get a full TypeScript backend and admin panel instantly. Use Payload as a headless CMS or for building powerful applications.

All releases →