{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34747", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:17:10.224Z", "datePublished": "2026-04-01T19:45:24.463Z", "dateUpdated": "2026-04-01T19:45:24.463Z"}, "containers": {"cna": {"title": "Payload has an SQL Injection via Query Handling", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg"}, {"name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"version": "< 3.79.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T19:45:24.463Z"}, "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1."}], "source": {"advisory": "GHSA-7xxh-373w-35vg", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1."}], "id": "CVE-2026-34747", "lastModified": "2026-04-01T20:16:26.887", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T20:16:26.887", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.79.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "payload", "source": "cna", "vendor": "payloadcms"}, "product": "payload", "vendor": "payloadcms"}], "analysis": {"en": {"generated_at": "2026-04-02T04:32:11.946463+00:00", "value": {"mitigation_remediation": ["Upgrade PayloadCMS to version 3.79.1 or later.", "If upgrade is not immediately possible, restrict access to the affected API endpoints and monitor for abnormal query activity."], "summary": {"action": "Immediate Patch", "impact": "Data exfiltration or modification via SQL injection"}, "threat_synthesis": {"affected_systems": "The affected product is PayloadCMS's Payload. Versions prior to 3.79.1 are impacted. The 3.79.1 release includes the patch that corrects the validation error.", "description_and_impact": "The vulnerability is a SQL injection flaw in PayloadCMS Payload. Improper validation of certain request inputs allows an attacker to craft requests that manipulate SQL query execution. This can lead to unauthorized data exposure or modification within collections, representing a classic input validation issue corresponding to CWE\u201189.", "risk_and_exploitability": "Severity is high with a CVSS score of 8.5. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via crafted HTTP requests to the CMS's query handling endpoints. An attacker could exploit the flaw without needing authentication, though the exact authentication requirements are not detailed in the advisory. Because of the high impact and the lack of public exploitation references, organizations should treat this as a serious risk pending patch."}}}}, "created": "2026-04-02T07:47:58.886857+00:00", "updated": "2026-04-02T20:16:51.976252+00:00", "vendors": ["payloadcms", "payloadcms$PRODUCT$payload"]}