← voltar
CVE-2026-34750

Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints

CVSS 6.5 MEDIUMEPSS 0.3%CWE-22
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 6.5EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
01 abr 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Produtos afetados
payloadcms · payload

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x