{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34750", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:17:10.225Z", "datePublished": "2026-04-01T19:51:59.689Z", "dateUpdated": "2026-04-02T15:33:58.886Z"}, "containers": {"cna": {"title": "Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x"}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"version": "< 3.78.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T19:51:59.689Z"}, "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3."}], "source": {"advisory": "GHSA-frq9-7j6g-v74x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:33:26.614791Z", "id": "CVE-2026-34750", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:33:58.886Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34750", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T15:33:26.614791Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:33:32.561Z"}}], "cna": {"title": "Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints", "source": {"advisory": "GHSA-frq9-7j6g-v74x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"status": "affected", "version": "< 3.78.0"}]}], "references": [{"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x", "name": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T19:51:59.689Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34750", "state": "PUBLISHED", "dateUpdated": "2026-04-02T15:33:58.886Z", "dateReserved": "2026-03-30T19:17:10.225Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-01T19:51:59.689Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "225E9788-C205-479C-B3EE-7A57A468929F", "versionEndExcluding": "3.78.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3."}], "id": "CVE-2026-34750", "lastModified": "2026-04-13T19:15:38.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T20:16:27.337", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.78.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "payload", "source": "cna", "vendor": "payloadcms"}, "product": "payload", "vendor": "payloadcms"}], "analysis": {"en": {"generated_at": "2026-04-13T21:08:44.078415+00:00", "value": {"mitigation_remediation": ["Upgrade Payload to version 3.78.0 or later and ensure the corresponding storage plug\u2011ins are also at their latest patched releases."], "summary": {"action": "Patch Immediately", "impact": "Unauthorised file upload outside intended storage location potentially compromising data integrity and confidentiality"}, "threat_synthesis": {"affected_systems": "The vulnerability affects versions of Payload before 3.78.0 that use the storage plug\u2011ins @payloadcms/storage\u2011azure, @payloadcms/storage\u2011gcs, @payloadcms/storage\u2011r2, or @payloadcms/storage\u2011s3. Users running Payload on Node.js with any of these storage adapters below the specified version are impacted.", "description_and_impact": "A path\u2011traversal issue in the signed\u2011URL upload endpoints of the Payload content management system allows a remote attacker to craft file names that escape the designated storage bucket. By injecting characters such as '..\\' or '/..', the attacker can cause the system to create or overwrite files in arbitrary locations on the storage backend. This can lead to the modification or exposure of sensitive data stored in other buckets or directories, thereby breaching data integrity and confidentiality. The weakness corresponds to CWE\u201122, \"Improper Restriction of Operations within a File System.\"", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity, while an EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, implying no publicly confirmed exploit. Exploitation requires only that an attacker can initiate a client\u2011upload request to a vulnerable Payload instance; no additional privileges or insider access are required. The attack vector is inferred to be remote, leveraging the exposed upload API endpoint."}}}}, "created": "2026-04-02T07:47:56.021748+00:00", "updated": "2026-04-14T16:42:06.663028+00:00", "vendors": ["payloadcms", "payloadcms$PRODUCT$payload"]}