CVE-2026-34750

Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints

CVSS 6.5 MEDIUMEPSS 0.3%CWE-22

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.5EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

01 Apr 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Affected products

payloadcms · payload

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x