Description
Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1.
Published: 2026-04-01
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Confidentiality and Integrity Compromise via SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises because certain request inputs are not properly validated in Payload CMS, allowing an attacker to inject arbitrary SQL into database queries. This flaw can lead to the exposure or modification of data stored in collections, compromising both confidentiality and integrity of the system. The weakness corresponds to CWE‑89, SQL Injection.

Affected Systems

Payload CMS before version 3.79.1 is affected. The issue exists in all releases of the Payload CMS product by Payload CMS that shipped prior to the v3.79.1 release.

Risk and Exploitability

The common vulnerability scoring system assigns a high severity of 8.5, indicating a serious risk. The EPSS score of less than 1% suggests that exploitation is currently unlikely. Because the vulnerability is not listed in the CISA KEV catalog, no confirmed widespread exploitation has been reported. Attackers would need to send crafted HTTP requests to endpoints that use untrusted input in SQL queries. The attack vector is inferred to be remote over the network, though the description does not explicitly state this. Security teams should treat this as a high‑risk issue that requires timely remediation.

Generated by OpenCVE AI on April 13, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Payload CMS to version 3.79.1 or later.

Generated by OpenCVE AI on April 13, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7xxh-373w-35vg Payload has an SQL Injection via Query Handling
History

Mon, 13 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*

Sat, 04 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Payloadcms
Payloadcms payload
Vendors & Products Payloadcms
Payloadcms payload

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1.
Title Payload has an SQL Injection via Query Handling
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Payloadcms Payload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-04T03:07:40.291Z

Reserved: 2026-03-30T19:17:10.224Z

Link: CVE-2026-34747

cve-icon Vulnrichment

Updated: 2026-04-04T03:07:35.974Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T20:16:26.887

Modified: 2026-04-13T18:53:11.523

Link: CVE-2026-34747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:09Z

Weaknesses