GHSA-7xxh-373w-35vg

Suggest an improvement
Source
https://github.com/advisories/GHSA-7xxh-373w-35vg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-7xxh-373w-35vg/GHSA-7xxh-373w-35vg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7xxh-373w-35vg
Aliases
  • CVE-2026-34747
Published
2026-04-01T21:19:03Z
Modified
2026-04-06T17:03:39.306874Z
Severity
  • 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator
Summary
Payload has an SQL Injection via Query Handling
Details

Impact

Certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections.

Patches

This issue has been fixed in v3.79.1 and later. Query input validation has been hardened.

Upgrade to v3.79.1 or later.

Workarounds

Until developers can upgrade:

  • Limit access to endpoints that accept dynamic query inputs to trusted users only.
  • Validate or sanitize input from untrusted clients before sending it to query endpoints.
Database specific 
{
    "github_reviewed_at": "2026-04-01T21:19:03Z",
    "nvd_published_at": "2026-04-01T20:16:26Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "HIGH",
    "github_reviewed": true
}
References

Affected packages

npm / payload

Package

Name
payload
View open source insights on deps.dev
Purl
pkg:npm/payload

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.79.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-7xxh-373w-35vg/GHSA-7xxh-373w-35vg.json"