Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints
The client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. Consumers are affected if ALL of these are true: Payload version < v3.78.0 Using client-upload signed-URL endpoints for any supported storage adapter