Skip to main content

Microsoft EUVDEUVD-2026-18019

| CVE-2026-34750 MEDIUM
Path Traversal (CWE-22)
2026-04-01 security-advisories@github.com GHSA-frq9-7j6g-v74x
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 01, 2026 - 20:27 euvd
EUVD-2026-18019
Analysis Generated
Apr 01, 2026 - 20:27 vuln.today
CVE Published
Apr 01, 2026 - 20:16 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3.

AnalysisAI

Path traversal in Payload CMS storage adapter client-upload signed-URL endpoints (S3, GCS, Azure, R2) prior to version 3.78.0 allows authenticated attackers to escape intended storage locations via unsanitized filenames, enabling arbitrary file writes to cloud storage buckets. The vulnerability requires user authentication and affects all four cloud storage integrations across the Payload CMS ecosystem.

Technical ContextAI

Payload CMS provides cloud storage adapters (@payloadcms/storage-s3, @payloadcms/storage-gcs, @payloadcms/storage-azure, @payloadcms/storage-r2) that generate signed URLs for client-side file uploads to various cloud providers. The vulnerability stems from CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), where filename inputs are not properly sanitized before being used to construct cloud storage object paths. An attacker can inject path traversal sequences (e.g., '../', '..\\') into filenames during the signed-URL request, allowing the crafted filename to escape the intended storage directory and write files to arbitrary locations within the cloud bucket namespace.

RemediationAI

Upgrade all affected storage adapter packages to version 3.78.0 or later. Users should update @payloadcms/storage-s3, @payloadcms/storage-gcs, @payloadcms/storage-azure, and @payloadcms/storage-r2 simultaneously to ensure consistent filename sanitization across all cloud backends. Review deployment configurations to verify client-upload signed-URL endpoints are in use; if not required, consider disabling this feature. Audit cloud storage bucket logs and file listings (particularly in shared or multi-tenant environments) for any suspicious filenames containing path traversal sequences (../, ..\, etc.) that may indicate exploitation. See https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x for patch release details and migration guidance.

Share

EUVD-2026-18019 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy