EUVD-2026-18019
GHSA-frq9-7j6g-v74x
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4Tags
Description
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3.
Analysis
Path traversal in Payload CMS storage adapter client-upload signed-URL endpoints (S3, GCS, Azure, R2) prior to version 3.78.0 allows authenticated attackers to escape intended storage locations via unsanitized filenames, enabling arbitrary file writes to cloud storage buckets. The vulnerability requires user authentication and affects all four cloud storage integrations across the Payload CMS ecosystem.
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today