Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/972104?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/972104?format=api", "purl": "pkg:npm/%40payloadcms/storage-azure@3.0.0-beta.84", "type": "npm", "namespace": "@payloadcms", "name": "storage-azure", "version": "3.0.0-beta.84", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.78.0", "latest_non_vulnerable_version": "3.78.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/17254?format=api", "vulnerability_id": "VCID-dgsy-egry-g3ba", "summary": "Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints\n### Impact\n\nThe client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location.\n\nConsumers are affected if ALL of these are true:\n\n- Payload version **< v3.78.0**\n- Using client-upload signed-URL endpoints for any supported storage adapter\n\n ## Patches\n\nThis vulnerability has been patched in **v3.78.0**. Filename validation has been hardened for client uploads.\n\nConsumers should upgrade to **v3.78.0** or later.\n\n## Workarounds\n\nConsumers can upgrade:\n\n- Limit access to client-upload signed-URL endpoints to trusted users only.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34750", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07218", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34750" }, { "reference_url": "https://github.com/payloadcms/payload", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/payloadcms/payload" }, { "reference_url": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:33:26Z/" } ], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34750", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34750" }, { "reference_url": "https://github.com/advisories/GHSA-frq9-7j6g-v74x", "reference_id": "GHSA-frq9-7j6g-v74x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-frq9-7j6g-v74x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49745?format=api", "purl": "pkg:npm/%40payloadcms/storage-azure@3.78.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540payloadcms/storage-azure@3.78.0" } ], "aliases": [ "CVE-2026-34750", "GHSA-frq9-7j6g-v74x" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dgsy-egry-g3ba" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540payloadcms/storage-azure@3.0.0-beta.84" }