CVE-2026-34750

MEDIUM NVD

CVSS Score 6.5

Severity MEDIUM

Published Apr 01, 2026

Vendor unknown

Description

Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3.

References

https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x