GHSA-frq9-7j6g-v74x

Source

https://github.com/advisories/GHSA-frq9-7j6g-v74x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-frq9-7j6g-v74x/GHSA-frq9-7j6g-v74x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-frq9-7j6g-v74x

Aliases

CVE-2026-34750

Published

2026-04-01T21:44:09Z

Modified

2026-04-01T21:46:43.307191Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints

Details

Impact

The client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location.

Consumers are affected if ALL of these are true:

Payload version < v3.78.0
Using client-upload signed-URL endpoints for any supported storage adapter

Patches

This vulnerability has been patched in v3.78.0. Filename validation has been hardened for client uploads.

Consumers should upgrade to v3.78.0 or later.

Workarounds

Consumers can upgrade:

Limit access to client-upload signed-URL endpoints to trusted users only.

Database specific

{
    "nvd_published_at": "2026-04-01T20:16:27Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed_at": "2026-04-01T21:44:09Z",
    "github_reviewed": true,
    "severity": "MODERATE"
}

References

Affected packages

npm / @payloadcms/storage-azure

Package

Name: @payloadcms/storage-azure; View open source insights on deps.dev
Purl: pkg:npm/%40payloadcms/storage-azure

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.78.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-frq9-7j6g-v74x/GHSA-frq9-7j6g-v74x.json"

npm / @payloadcms/storage-gcs

Package

Name: @payloadcms/storage-gcs; View open source insights on deps.dev
Purl: pkg:npm/%40payloadcms/storage-gcs

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.78.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-frq9-7j6g-v74x/GHSA-frq9-7j6g-v74x.json"

npm / @payloadcms/storage-r2

Package

Name: @payloadcms/storage-r2; View open source insights on deps.dev
Purl: pkg:npm/%40payloadcms/storage-r2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.78.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-frq9-7j6g-v74x/GHSA-frq9-7j6g-v74x.json"

npm / @payloadcms/storage-s3

Package

Name: @payloadcms/storage-s3; View open source insights on deps.dev
Purl: pkg:npm/%40payloadcms/storage-s3

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.78.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-frq9-7j6g-v74x/GHSA-frq9-7j6g-v74x.json"

GHSA-frq9-7j6g-v74x

Impact

Patches

Workarounds

Affected packages

npm / @payloadcms/storage-azure

Package

Affected ranges

Database specific

npm / @payloadcms/storage-gcs

Package

Affected ranges

Database specific

npm / @payloadcms/storage-r2

Package

Affected ranges

Database specific

npm / @payloadcms/storage-s3

Package

Affected ranges

Database specific