CVE-2026-34747: Payload has an SQL Injection via Query Handling

April 1, 2026 (updated April 6, 2026)

Certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections.

References

github.com/advisories/GHSA-7xxh-373w-35vg
github.com/payloadcms/payload
github.com/payloadcms/payload/releases/tag/v3.79.1
github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg
nvd.nist.gov/vuln/detail/CVE-2026-34747

Code Behaviors & Features

Detect and mitigate CVE-2026-34747 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →