Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40payloadcms/storage-s3@3.48.0-canary.0
Typenpm
Namespace@payloadcms
Namestorage-s3
Version3.48.0-canary.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.78.0
Latest_non_vulnerable_version3.78.0
Affected_by_vulnerabilities
0
url VCID-sdvw-682n-m7c7
vulnerability_id VCID-sdvw-682n-m7c7
summary 
Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints
### Impact

The client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location.

Consumers are affected if ALL of these are true:

- Payload version **< v3.78.0**
- Using client-upload signed-URL endpoints for any supported storage adapter

  ## Patches

This vulnerability has been patched in **v3.78.0**. Filename validation has been hardened for client uploads.

Consumers should upgrade to **v3.78.0** or later.

## Workarounds

Consumers can upgrade:

- Limit access to client-upload signed-URL endpoints to trusted users only.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34750
reference_id
reference_type
scores
0
value 0.00024
scoring_system epss
scoring_elements 0.07098
published_at 2026-06-05T12:55:00Z
1
value 0.00024
scoring_system epss
scoring_elements 0.07089
published_at 2026-06-07T12:55:00Z
2
value 0.00024
scoring_system epss
scoring_elements 0.07104
published_at 2026-06-06T12:55:00Z
3
value 0.00028
scoring_system epss
scoring_elements 0.08344
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34750
1
reference_url https://github.com/payloadcms/payload
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/payloadcms/payload
2
reference_url https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:33:26Z/
url https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34750
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34750
4
reference_url https://github.com/advisories/GHSA-frq9-7j6g-v74x
reference_id GHSA-frq9-7j6g-v74x
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-frq9-7j6g-v74x
fixed_packages
0
url pkg:npm/%40payloadcms/storage-s3@3.78.0
purl pkg:npm/%40payloadcms/storage-s3@3.78.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540payloadcms/storage-s3@3.78.0
aliases CVE-2026-34750, GHSA-frq9-7j6g-v74x
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sdvw-682n-m7c7
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540payloadcms/storage-s3@3.48.0-canary.0