A path‑traversal issue in the signed‑URL upload endpoints of the Payload content management system allows a remote attacker to craft file names that escape the designated storage bucket. By injecting characters such as '..\' or '/..', the attacker can cause the system to create or overwrite files in arbitrary locations on the storage backend. This can lead to the modification or exposure of sensitive data stored in other buckets or directories, thereby breaching data integrity and confidentiality. The weakness corresponds to CWE‑22, "Improper Restriction of Operations within a File System."

The vulnerability affects versions of Payload before 3.78.0 that use the storage plug‑ins @payloadcms/storage‑azure, @payloadcms/storage‑gcs, @payloadcms/storage‑r2, or @payloadcms/storage‑s3. Users running Payload on Node.js with any of these storage adapters below the specified version are impacted.

The CVSS score of 6.5 indicates a moderate severity, while an EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, implying no publicly confirmed exploit. Exploitation requires only that an attacker can initiate a client‑upload request to a vulnerable Payload instance; no additional privileges or insider access are required. The attack vector is inferred to be remote, leveraging the exposed upload API endpoint.