{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34747", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:17:10.224Z", "datePublished": "2026-04-01T19:45:24.463Z", "dateUpdated": "2026-04-04T03:07:40.291Z"}, "containers": {"cna": {"title": "Payload has an SQL Injection via Query Handling", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg"}, {"name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"version": "< 3.79.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T19:45:24.463Z"}, "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1."}], "source": {"advisory": "GHSA-7xxh-373w-35vg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-04T03:07:03.829680Z", "id": "CVE-2026-34747", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:07:40.291Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34747", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-04T03:07:03.829680Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:07:35.974Z"}}], "cna": {"title": "Payload has an SQL Injection via Query Handling", "source": {"advisory": "GHSA-7xxh-373w-35vg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"status": "affected", "version": "< 3.79.1"}]}], "references": [{"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg", "name": "https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T19:45:24.463Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34747", "state": "PUBLISHED", "dateUpdated": "2026-04-04T03:07:40.291Z", "dateReserved": "2026-03-30T19:17:10.224Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-01T19:45:24.463Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B4AE65F8-450D-4573-9CD7-1AA42CE5DC28", "versionEndExcluding": "3.79.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1."}], "id": "CVE-2026-34747", "lastModified": "2026-04-13T18:53:11.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-01T20:16:26.887", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.79.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "payload", "source": "cna", "vendor": "payloadcms"}, "product": "payload", "vendor": "payloadcms"}], "analysis": {"en": {"generated_at": "2026-04-13T21:10:00.153879+00:00", "value": {"mitigation_remediation": ["Upgrade Payload CMS to version 3.79.1 or later."], "summary": {"action": "Immediate Patch", "impact": "Data Confidentiality and Integrity Compromise via SQL Injection"}, "threat_synthesis": {"affected_systems": "Payload CMS before version 3.79.1 is affected. The issue exists in all releases of the Payload CMS product by Payload CMS that shipped prior to the v3.79.1 release.", "description_and_impact": "The vulnerability arises because certain request inputs are not properly validated in Payload CMS, allowing an attacker to inject arbitrary SQL into database queries. This flaw can lead to the exposure or modification of data stored in collections, compromising both confidentiality and integrity of the system. The weakness corresponds to CWE\u201189, SQL Injection.", "risk_and_exploitability": "The common vulnerability scoring system assigns a high severity of 8.5, indicating a serious risk. The EPSS score of less than 1% suggests that exploitation is currently unlikely. Because the vulnerability is not listed in the CISA KEV catalog, no confirmed widespread exploitation has been reported. Attackers would need to send crafted HTTP requests to endpoints that use untrusted input in SQL queries. The attack vector is inferred to be remote over the network, though the description does not explicitly state this. Security teams should treat this as a high\u2011risk issue that requires timely remediation."}}}}, "created": "2026-04-02T07:47:58.886857+00:00", "updated": "2026-04-14T16:42:09.870799+00:00", "vendors": ["payloadcms", "payloadcms$PRODUCT$payload"]}