Description
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0.
Published: 2026-04-01
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in Admin Panel
Action: Immediate Patch
AI Analysis

Impact

A vulnerability allows an authenticated user with write permissions in Payload’s admin panel to store malicious JavaScript content. When a different authenticated user later views the stored content, the script runs in that user’s browser, enabling arbitrary client‑side code execution. The weakness is a stored Cross‑Site Scripting flaw identified as CWE‑79.

Affected Systems

The flaw affects the @payloadcms/next module of Payload CMS, a free, open‑source headless content management system. Any deployment running @payloadcms/next before version 3.78.0 is impacted, regardless of the underlying Node.js environment.

Risk and Exploitability

The CVSS score of 8.7 classifies the issue as high severity. The EPSS score of less than 1 % suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, indicating no known widespread exploit. An attacker would need valid credentials with write access to a collection; once malicious content is stored, any authenticated user who views the content experiences script execution. Consequently, the risk is primarily significant for systems where write permissions are broadly granted or where compromised accounts exist.

Generated by OpenCVE AI on April 13, 2026 at 21:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Payload to version 3.78.0 or later.
  • Restrict write access to trusted users only.

Generated by OpenCVE AI on April 13, 2026 at 21:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mmxc-95ch-2j7c @payloadcms/next has Stored XSS in Admin Panel
History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Payloadcms
Payloadcms payload
Vendors & Products Payloadcms
Payloadcms payload

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0.
Title @payloadcms/next has Stored XSS in Admin Panel
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Payloadcms Payload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T16:24:38.880Z

Reserved: 2026-03-30T19:17:10.224Z

Link: CVE-2026-34748

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T20:16:27.040

Modified: 2026-04-13T19:13:21.220

Link: CVE-2026-34748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:08Z

Weaknesses