CVE-2026-34747
SQL Injection in Payload CMS Allows Data Exposure and Modification
Publication date: 2026-04-01
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| payloadcms | payload | to 3.79.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34747 is a high-severity SQL Injection vulnerability affecting the open source headless content management system called Payload in versions prior to 3.79.1.
The vulnerability occurs because certain request inputs are not properly validated, allowing an attacker to craft malicious requests that manipulate SQL query execution.
This improper validation means that user inputs can be interpreted as SQL code rather than data, enabling attackers to inject SQL commands.
As a result, attackers can potentially expose or modify data within collections managed by the system.
The issue has been fixed in version 3.79.1 by improving query input validation.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized exposure or modification of data within the affected system's collections.
Because the attack vector is network-based with low complexity, an attacker with low privileges can exploit it without user interaction.
The confidentiality impact is high, meaning sensitive data could be leaked.
The integrity impact is low, indicating some data modification is possible but limited.
Availability is not affected by this vulnerability.
Until patched, users should restrict access to endpoints that accept dynamic query inputs and validate or sanitize inputs from untrusted clients.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from improper validation of certain request inputs that can be used to manipulate SQL queries. Detection involves monitoring for unusual or crafted requests targeting endpoints that accept dynamic query inputs.
Since the vulnerability is network-based and involves SQL Injection, you can detect potential exploitation attempts by inspecting web server logs or network traffic for suspicious payloads containing SQL syntax or injection patterns.
- Use web server log analysis tools or grep commands to search for common SQL injection patterns, such as ' OR ', ' AND ', '--', or other SQL keywords in request parameters.
- Example command to search logs for suspicious SQL injection attempts: grep -iE "(\bor\b|\band\b|--|;|')" /path/to/access.log
- Use network monitoring tools like Wireshark or tcpdump to capture HTTP requests and analyze for suspicious query parameters.
- If you have application-level logging, enable detailed request logging to capture inputs to endpoints that accept dynamic queries.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the payload package to version 3.79.1 or later, where the vulnerability has been patched by hardening query input validation.
Until you can upgrade, you should restrict access to endpoints that accept dynamic query inputs to trusted users only.
Additionally, validate or sanitize all inputs from untrusted clients before processing them to prevent malicious SQL code from being executed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized exposure or modification of data within collections due to SQL Injection, which can lead to breaches of data confidentiality.
Such unauthorized data exposure or modification can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or alteration.
Therefore, if exploited, this vulnerability could result in non-compliance with these regulations by compromising the confidentiality and integrity of protected data.