anonhaven
Ad

CVE-2026-34749

MEDIUM CVSS 3.1: 5.4 EPSS 0.03%
Updated Apr 03, 2026
Payload
Parameter Value
CVSS 5.4 (MEDIUM)
Fixed In 3.79.1
Type CWE-352 (Cross-Site Request Forgery (CSRF))
Vendor Payload
Public PoC No

Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made.

This issue has been patched in version 3.79.1.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
Low
Partial disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-352 Cross-Site Request Forgery (CSRF)

References 2

https://github.com/payloadcms/payload/releases/tag/v3.79.1
security-advisories@github.com
https://github.com/payloadcms/payload/security/advisories/GHSA-p6mr-xf3r-ghq4
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-40922

Payload

5.3

CVE-2026-35469

Payload

8.7

CVE-2026-40901

Payload

7.5

CVE-2024-8010

Payload

3.5

CVE-2025-40899

Payload

7.1