Platform
nodejs
Component
@payloadcms/next
Fixed in
3.78.1
3.78.0
A stored Cross-site Scripting (XSS) vulnerability has been identified in the @payloadcms/next admin panel. This allows an authenticated user with write access to a collection to inject malicious scripts into content. When other users view this content, the script executes within their browser, potentially leading to session hijacking or data theft. The vulnerability affects versions prior to v3.78.0 and has been resolved with output encoding improvements.
The primary impact of this XSS vulnerability is the potential for an attacker to execute arbitrary JavaScript code within the context of another user's browser session. This could allow an attacker to steal session cookies, redirect users to malicious websites, or deface the application. Given the admin panel context, an attacker could potentially gain access to sensitive data or perform actions on behalf of the affected user. The severity is heightened by the ability to inject content via collections, which are often used to manage dynamic content within the application.
This vulnerability is not currently listed on KEV or EPSS. The CVSS score of 8.7 (HIGH) indicates a significant risk. Public proof-of-concept (POC) exploits are not currently known, but the XSS nature of the vulnerability makes it likely that such exploits will emerge. The vulnerability was published on 2026-04-01, suggesting it is relatively recent.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade to @payloadcms/next version 3.78.0 or later. This version includes output encoding that prevents user-supplied content from being interpreted as markup. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious input based on common XSS patterns. Carefully review and sanitize all user-supplied input before rendering it in the application. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into a collection and verifying that it is properly encoded and does not execute.
Actualice Payload a la versión 3.78.0 o superior. Esta versión corrige la vulnerabilidad XSS almacenada en el panel de administración. La actualización evitará que usuarios autenticados con acceso de escritura puedan inyectar código malicioso que se ejecute en el navegador de otros usuarios.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34748 is a stored Cross-site Scripting (XSS) vulnerability in @payloadcms/next versions before 3.78.0. An authenticated user can inject malicious scripts into collection content, impacting other users.
You are affected if you are using @payloadcms/next versions prior to 3.78.0, have at least one collection with versions enabled, and an authenticated user has create or update access to that collection.
Upgrade to @payloadcms/next version 3.78.0 or later. This version includes output encoding to prevent XSS. Consider WAF rules as a temporary mitigation if upgrading isn't immediate.
While no public exploits are currently known, the XSS nature of the vulnerability suggests potential for exploitation. Monitor for any suspicious activity.
Refer to the official @payloadcms/next release notes and security advisories on their website or GitHub repository for details about this vulnerability and the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.