Primary

Context

Payload CMS Insufficient Filename Validation in Client-Upload Signed-URL Endpoints

Vulnerability

Patched

A vulnerability exists in Payload CMS versions prior to 3.78.0 across several storage adapters, including Azure, GCS, R2, and S3. The issue arises from the client-upload signed-URL endpoints, which failed to properly validate filenames. This lack of validation allowed attackers to craft filenames that could escape the designated storage location.

Impact

Exploitation of this vulnerability could lead to unauthorized access or manipulation of files, as crafted filenames could be used to bypass intended storage restrictions.

Remediation

Users are advised to upgrade to Payload CMS version 3.78.0 or later, where this vulnerability has been addressed. Until an upgrade can be performed, access to client-upload signed-URL endpoints should be restricted to trusted users only.

Added: Apr 1, 2026, 8:22 PM

Updated: Apr 1, 2026, 8:22 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.2

exploitability

5.0

remediation

7.9

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.2

exploitability

5.0

remediation

7.9

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Payload CMS Insufficient Filename Validation in Client-Upload Signed-URL Endpoints

Vulnerability

Impact

Remediation

Affected Products

@payloadcms/payload

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating