CVE-2026-34749

Versions sourced from the GitHub Security Advisory.

• Payloadcms/Payload

  cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*

  Range: <3.79.1

No patches discovered yet.

AI mechanics synthesis has not run for this CVE yet.

• github.com/advisories/GHSA-p6mr-xf3r-ghq4ghsaADVISORY
• github.com/payloadcms/payload/security/advisories/GHSA-p6mr-xf3r-ghq4nvdVendor AdvisoryMitigationWEB
• nvd.nist.gov/vuln/detail/CVE-2026-34749ghsaADVISORY
• github.com/payloadcms/payload/releases/tag/v3.79.1nvdProductRelease NotesWEB

• Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming
  The Hacker News · May 16, 2026
• Funnel Builder WordPress plugin bug exploited to steal credit cards
  BleepingComputer · May 15, 2026
• Metasploit Wrap-Up 05/15/2026
  Rapid7 Blog · May 15, 2026
• In Other News: Big Tech vs Canada Encryption Bill, Cisco’s Free AI Security Spec, Audi App Flaws
  SecurityWeek · May 15, 2026
• Gremlin Stealer Evolves into Modular Threat with Advanced Evasion Capabilities
  Infosecurity Magazine · May 15, 2026
• Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
  Unit 42 · May 15, 2026
• China-Linked Hackers Deploy New TencShell Malware Against Global Manufacturer
  Infosecurity Magazine · May 15, 2026
• Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets
  The Hacker News · May 14, 2026
• 'FrostyNeighbor' APT Carefully Targets Govt Orgs in Poland, Ukraine
  Dark Reading · May 14, 2026
• ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
  The Hacker News · May 14, 2026
• Cyber-Enabled Cargo Crime: How Cybercrime Tradecraft is Used to Steal Freight
  BleepingComputer · May 14, 2026
• Mustang Panda Linked to Updated FDMTP Backdoor in Asia-Pacific Espionage Campaign
  Infosecurity Magazine · May 14, 2026
• Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
  The Hacker News · May 14, 2026
• New Fragnesia Flaw Hands Linux Local Users Root Access
  Infosecurity Magazine · May 14, 2026
• Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns
  SecurityWeek · May 14, 2026
• Kimsuky targets organizations with PebbleDash-based tools
  Securelist · May 14, 2026
• FrostyNeighbor: Fresh mischief and digital shenanigans
  ESET WeLiveSecurity · May 14, 2026
• New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption
  The Hacker News · May 14, 2026
• Vector embedding security gap exposes enterprise AI pipelines
  Help Net Security · May 14, 2026
• Attackers Weaponize RubyGems for Data Dead Drops
  Dark Reading · May 13, 2026
• When IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain Compromise
  Rapid7 Blog · May 13, 2026
• China's 'FamousSparrow' APT Nests in South Caucasus Energy Firm
  Dark Reading · May 13, 2026
• Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation
  The Hacker News · May 13, 2026
• GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data
  The Hacker News · May 13, 2026
• Fake Claude search results lure Mac users into ClickFix attack
  Malwarebytes Labs · May 12, 2026
• Mini Shai-Hulud Hits TanStack npm Packages
  Infosecurity Magazine · May 12, 2026
• Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 Malware
  SecurityWeek · May 12, 2026
• 20 Leaders Who Built the CISO Era: 2 Decades of Change
  Dark Reading · May 12, 2026
• Cache-poisoning caper turns TanStack npm packages toxic
  The Register Security · May 12, 2026
• Attackers Combine ClickFix With PySoxy Proxying to Maintain Persistence
  Infosecurity Magazine · May 12, 2026
• Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages
  The Hacker News · May 12, 2026
• Shai Hulud attack ships signed malicious TanStack, Mistral npm packages
  BleepingComputer · May 12, 2026
• Is the SOC Obsolete, and We Just Haven’t Admitted It Yet?
  SecurityWeek · May 12, 2026
• TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain Attack
  SecurityWeek · May 12, 2026
• State-sponsored actors, better known as the friends you don’t want
  Cisco Talos Intelligence · May 12, 2026
• Malicious Hugging Face Repository Typosquats OpenAI
  Infosecurity Magazine · May 12, 2026
• Cookie thieves caught stealing dev secrets via fake Claude Code installers
  The Register Security · May 11, 2026
• Tech Can't Stop These Threats — Your People Can
  Dark Reading · May 11, 2026
• Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation
  The Hacker News · May 11, 2026
• Google researchers uncover criminal zero-day exploit likely built with AI
  Help Net Security · May 11, 2026
• ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
  The Hacker News · May 11, 2026
• Hackers abuse Google ads, Claude.ai chats to push Mac malware
  BleepingComputer · May 10, 2026
• JDownloader site hacked to replace installers with Python RAT malware
  BleepingComputer · May 9, 2026
• Fake OpenAI repository on Hugging Face pushes infostealer malware
  BleepingComputer · May 9, 2026
• Metasploit Wrap-Up 05/08/2026
  Rapid7 Blog · May 8, 2026
• TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms
  The Hacker News · May 8, 2026
• Zero Chaos: Scaling Detection Engineering at the Speed of Software, with Detection As Code
  Rapid7 Blog · May 8, 2026
• New TCLBanker malware self-spreads over WhatsApp and Outlook
  BleepingComputer · May 7, 2026
• Unplug your way to better code
  Cisco Talos Intelligence · May 7, 2026
• PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
  The Hacker News · May 7, 2026