SQL Injection Vulnerability in Payload CMS Affects Versions Prior to 3.79.1
CVE-2026-34747

8.5HIGH

Key Information:

Vendor: Payloadcms
Status: Payload
Vendor: CVE Published:; 1 April 2026

What is CVE-2026-34747?

The Payload content management system prior to version 3.79.1 contains a vulnerability where certain inputs in requests were not properly validated. This oversight may allow an attacker to craft malicious requests that manipulate SQL query execution, potentially leading to unauthorized access to sensitive data or even modification of data within collections. To mitigate this risk, users should promptly update to version 3.79.1, where this issue has been addressed.

Affected Version(s)

payload < 3.79.1

References

https://github.com/payloadcms/payload/security/advisories...

x_refsource_CONFIRM

https://github.com/payloadcms/payload/releases/tag/v3.79.1

x_refsource_MISC

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34747 Data

JSON

Payloadcms

What is CVE-2026-34747?

Affected Version(s)

References

CVSS V3.1

Timeline