{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34748", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:17:10.224Z", "datePublished": "2026-04-01T19:48:10.297Z", "dateUpdated": "2026-04-02T16:24:38.880Z"}, "containers": {"cna": {"title": "@payloadcms/next has Stored XSS in Admin Panel", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c"}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"version": "< 3.78.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T19:48:10.297Z"}, "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0."}], "source": {"advisory": "GHSA-mmxc-95ch-2j7c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:49:07.409157Z", "id": "CVE-2026-34748", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T16:24:38.880Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0."}], "id": "CVE-2026-34748", "lastModified": "2026-04-03T16:10:52.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T20:16:27.040", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.78.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "payload", "source": "cna", "vendor": "payloadcms"}, "product": "payload", "vendor": "payloadcms"}], "analysis": {"en": {"generated_at": "2026-04-02T04:31:58.027856+00:00", "value": {"mitigation_remediation": ["Upgrade Payload CMS to version 3.78.0 or later.", "If upgrading immediately is not possible, remove or sanitize any content that may contain malicious scripts.", "Restrict write permissions on collections until the patch is applied.", "Confirm that the admin panel is serving content from the updated version."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The issue targets Payload CMS, specifically the @payloadcms/next admin interface. All installations running a version older than 3.78.0 are vulnerable, regardless of deployment size or environment.", "description_and_impact": "An authentication\u2011enabled user with write access to a collection in Payload CMS can save content that embeds malicious JavaScript. When another administrator or user views that content in the admin panel, the script executes in the victim\u2019s browser. This stored cross\u2011site scripting flaw permits the attacker to run arbitrary code under the victim\u2019s session, potentially enabling session hijacking, defacement, or data theft.", "risk_and_exploitability": "The vulnerability is rated with a CVSS score of 8.7, reflecting high severity. An EPSS score is unavailable and the flaw is not listed in the CISA KEV catalog. The likely attack path requires authenticated write access, but once a malicious payload is stored, it executes automatically in the victim\u2019s browser, making exploitation straightforward for anyone who can view the compromised content."}}}}, "created": "2026-04-02T07:47:57.871637+00:00", "updated": "2026-04-02T20:16:51.057796+00:00", "vendors": ["payloadcms", "payloadcms$PRODUCT$payload"]}