Skip to main content

Payload CVE-2026-34747

| EUVDEUVD-2026-18013 HIGH
SQL Injection (CWE-89)
2026-04-01 security-advisories@github.com GHSA-7xxh-373w-35vg
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 01, 2026 - 20:27 euvd
EUVD-2026-18013
Analysis Generated
Apr 01, 2026 - 20:27 vuln.today
CVE Published
Apr 01, 2026 - 20:16 nvd
HIGH 8.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on payload (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.79.1.

DescriptionGitHub Advisory

Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1.

AnalysisAI

SQL injection in Payload CMS versions prior to 3.79.1 allows authenticated attackers to manipulate database queries and exfiltrate or modify collection data. The vulnerability stems from inadequate input validation on request parameters, enabling low-privilege users to craft malicious SQL queries with low attack complexity over the network. No public exploit identified at time of analysis. EPSS risk data not available, but the CVSS score of 8.5 with scope change (S:C) indicates potential for significant impact beyond the vulnerable component.

Technical ContextAI

Payload is a headless content management system built on Node.js that provides API-first content management capabilities. This vulnerability represents a classic SQL injection flaw (CWE-89) where user-controlled input from HTTP requests is incorporated into SQL queries without proper sanitization or parameterization. The affected component processes request inputs that directly influence SQL query construction for database operations on collections (Payload's term for content types/tables). The scope change designation in the CVSS vector (S:C) suggests the vulnerability may allow attackers to access resources beyond the immediate vulnerable component, potentially affecting the underlying database or other collections not intended for the authenticated user's access level. Affected product CPE would be cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:* with versions below 3.79.1.

RemediationAI

Upgrade immediately to Payload CMS version 3.79.1, which contains the vendor-released patch addressing the SQL injection vulnerability. Download the patched release from the official GitHub repository at https://github.com/payloadcms/payload/releases/tag/v3.79.1 and follow standard upgrade procedures for Node.js applications, including dependency updates via npm or yarn package managers. Review the security advisory at https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg for additional context. No workarounds are documented; upgrading to the patched version is the only complete remediation. Organizations unable to upgrade immediately should implement compensating controls including restricting authenticated user access, monitoring database query logs for suspicious patterns, deploying web application firewalls with SQL injection signatures, and limiting network access to the CMS administrative interfaces to trusted IP ranges.

Share

CVE-2026-34747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy