CVE
CVE-2026-34748
@payloadcms/next has Stored XSS in Admin Panel
Impact
A stored Cross-site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser.
Consumers are affected if ALL of these are true:
- Payload version < v3.78.0
- At least one collection with versions enabled
- An authenticated user has
createorupdateaccess to that collection
Patches
This vulnerability has been patched in v3.78.0. Output encoding has been added to prevent user-supplied content from being interpreted as markup.
Users should upgrade to v3.78.0 or later.
Workarounds
If consumers cannot upgrade immediately:
- Restrict
createandupdateaccess to versioned collections to trusted roles only.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.7
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
C
H
U
-
Related Resources
No items found.
References
https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c, https://nvd.nist.gov/vuln/detail/CVE-2026-34748, https://github.com/payloadcms/payload
Basic Information
Ecosystem
