CVE-2026-34747

EUVD-2026-18013
Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.5 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
GitHub_MCNA
8.5 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
payloadcmspayload
𝑥
< 3.79.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/payloadcms/payload/releases/tag/v3.79.1
https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg