CVE-2026-34750
Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints
描述
### Impact The client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. Consumers are affected if ALL of these are true: - Payload version **< v3.78.0** - Using client-upload signed-URL endpoints for any supported storage adapter ## Patches This vulnerability has been patched in **v3.78.0**. Filename validation has been hardened for client uploads. Consumers should upgrade to **v3.78.0** or later. ## Workarounds Consumers can upgrade: - Limit access to client-upload signed-URL endpoints to trusted users only.
如何修補 CVE-2026-34750
要修補 CVE-2026-34750,請將受影響套件升級到下列已修補版本。
- —升級至 3.78.0 或更新版本
- —升級至 3.78.0 或更新版本
- —升級至 3.78.0 或更新版本
- —升級至 3.78.0 或更新版本
CVE-2026-34750 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(4)
- from 0, < 3.78.0
- from 0, < 3.78.0
- from 0, < 3.78.0
- from 0, < 3.78.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |