Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-34750

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

created 2 weeks, 2 days ago

Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints

Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3.

References

https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x x_refsource_CONFIRM

Affected products

payload

==< 3.78.0

Matching in nixpkgs

pkgs.payload_dumper

Android OTA payload dumper

nixos-unstable 0-unstable-2022-04-11
- nixpkgs-unstable 0-unstable-2022-04-11
- nixos-unstable-small 0-unstable-2022-04-11
nixos-25.11 0-unstable-2022-04-11
- nixos-25.11-small 0-unstable-2022-04-11
- nixpkgs-25.11-darwin 0-unstable-2022-04-11

pkgs.payload-dumper-go

Android OTA payload dumper written in Go

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-25.11 1.3.0
- nixos-25.11-small 1.3.0
- nixpkgs-25.11-darwin 1.3.0

pkgs.payloadsallthethings

List of useful payloads and bypass for Web Application Security and Pentest/CTF

nixos-unstable 2025.1
- nixpkgs-unstable 2025.1
- nixos-unstable-small 2025.1
nixos-25.11 2025.1
- nixos-25.11-small 2025.1
- nixpkgs-25.11-darwin 2025.1

pkgs.android-ota-payload-extractor

A fast & natively cross-platform Android OTA payload extractor written in Go

nixos-unstable 1.1
- nixpkgs-unstable 1.1
- nixos-unstable-small 1.1

Package maintainers

@Aleksanaa Aleksana QwQ <me@aleksana.moe>
@DamienCassou Damien Cassou <damien@cassou.me>
@shard77 Léon Gessner <sh7user@gmail.com>
@johnrtitor Masum Reza <masumrezarock100@gmail.com>
@RossComputerGuy Tristan Ross <tristan.ross@midstall.com>
@hadilq Hadi Lashkari Ghouchani <hadilq.dev@gmail.com>
@MatthewCroughan Matthew Croughan <matt@croughan.sh>
@numinit Morgan Jones <me+nixpkgs@numin.it>
@adrian-gierakowski Adrian Gierakowski <adrian.gierakowski@gmail.com>