Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-34747
8.5 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): LOW
- Availability impact (A): NONE
Payload has an SQL Injection via Query Handling
Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1.
References
-
https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg x_refsource_CONFIRM
-
https://github.com/payloadcms/payload/releases/tag/v3.79.1 x_refsource_MISC
Affected products
payload
- ==< 3.79.1
Matching in nixpkgs
pkgs.payload_dumper
Android OTA payload dumper
-
nixos-unstable 0-unstable-2022-04-11
- nixpkgs-unstable 0-unstable-2022-04-11
- nixos-unstable-small 0-unstable-2022-04-11
-
nixos-25.11 0-unstable-2022-04-11
- nixos-25.11-small 0-unstable-2022-04-11
- nixpkgs-25.11-darwin 0-unstable-2022-04-11
pkgs.payload-dumper-go
Android OTA payload dumper written in Go
pkgs.payloadsallthethings
List of useful payloads and bypass for Web Application Security and Pentest/CTF
pkgs.android-ota-payload-extractor
A fast & natively cross-platform Android OTA payload extractor written in Go
Package maintainers
-
@Aleksanaa Aleksana QwQ <me@aleksana.moe>
-
@DamienCassou Damien Cassou <damien@cassou.me>
-
@shard77 Léon Gessner <sh7user@gmail.com>
-
@johnrtitor Masum Reza <masumrezarock100@gmail.com>
-
@RossComputerGuy Tristan Ross <tristan.ross@midstall.com>
-
@hadilq Hadi Lashkari Ghouchani <hadilq.dev@gmail.com>
-
@MatthewCroughan Matthew Croughan <matt@croughan.sh>
-
@numinit Morgan Jones <me+nixpkgs@numin.it>
-
@adrian-gierakowski Adrian Gierakowski <adrian.gierakowski@gmail.com>