{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34750", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:17:10.225Z", "datePublished": "2026-04-01T19:51:59.689Z", "dateUpdated": "2026-04-02T15:33:58.886Z"}, "containers": {"cna": {"title": "Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x"}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"version": "< 3.78.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T19:51:59.689Z"}, "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3."}], "source": {"advisory": "GHSA-frq9-7j6g-v74x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:33:26.614791Z", "id": "CVE-2026-34750", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:33:58.886Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34750", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T15:33:26.614791Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:33:32.561Z"}}], "cna": {"title": "Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints", "source": {"advisory": "GHSA-frq9-7j6g-v74x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"status": "affected", "version": "< 3.78.0"}]}], "references": [{"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x", "name": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T19:51:59.689Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34750", "state": "PUBLISHED", "dateUpdated": "2026-04-02T15:33:58.886Z", "dateReserved": "2026-03-30T19:17:10.225Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-01T19:51:59.689Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3."}], "id": "CVE-2026-34750", "lastModified": "2026-04-01T20:16:27.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T20:16:27.337", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.78.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "payload", "source": "cna", "vendor": "payloadcms"}, "product": "payload", "vendor": "payloadcms"}], "analysis": {"en": {"generated_at": "2026-04-02T04:31:20.660331+00:00", "value": {"mitigation_remediation": ["Upgrade Payload CMS to version 3.78.0 or later, ensuring all storage modules are updated.", "If an upgrade is not immediately possible, restrict usage of signed-URL endpoints or disable external storage temporarily.", "Monitor upload logs for anomalous file paths or unexpected file writes.", "Apply any vendor patches as soon as they become available."], "summary": {"action": "Patch ASAP", "impact": "Unrestricted write via Directory Traversal"}, "threat_synthesis": {"affected_systems": "The issue affects Payload CMS, specifically the storage providers @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3. Versions prior to 3.78.0 are vulnerable; the fix was introduced in 3.78.0 for all affected storage modules.", "description_and_impact": "The vulnerability exists in the client-upload signed-URL endpoints for several storage backends. Filenames are not sanitized, allowing an attacker to craft a path that escapes the intended storage bucket or container. This can enable write access to arbitrary locations, potentially overwriting system or application files and escalating privileges or compromising availability.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by generating a signed upload URL and supplying a crafted filename that traverses the path hierarchy when the file is stored. If the application trusts the upload destination, the attacker may overwrite critical files or create files in privileged directories, leading to potential privilege escalation or denial of service."}}}}, "created": "2026-04-02T07:47:56.021748+00:00", "updated": "2026-04-02T20:16:49.089351+00:00", "vendors": ["payloadcms", "payloadcms$PRODUCT$payload"]}