CVE-2026-34748

@payloadcms/next has Stored XSS in Admin Panel

Description

Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0.

INFO

Published Date :

2026-04-01T19:48:10.297Z

Last Modified :

2026-04-02T16:24:38.880Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-34748 vulnerability.

Vendors	Products
Payloadcms	Payload

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34748.

URL	Resource
https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact