logo

Database

SQL injection - Code In payload

Description

Payload has an SQL Injection via Query Handling

Impact

Certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections.

Patches

This issue has been fixed in v3.79.1 and later. Query input validation has been hardened.

Upgrade to v3.79.1 or later.

Workarounds

Until developers can upgrade:

    Limit access to endpoints that accept dynamic query inputs to trusted users only.

    Validate or sanitize input from untrusted clients before sending it to query endpoints.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-347472. NVD-2026-347473. OSV-2026-347474. GHSA-7xxh-373w-35vg5. GCVE-2026-34747

References

1. https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg2. https://github.com/payloadcms/payload/releases/tag/v3.79.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.