{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34748", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:17:10.224Z", "datePublished": "2026-04-01T19:48:10.297Z", "dateUpdated": "2026-04-02T16:24:38.880Z"}, "containers": {"cna": {"title": "@payloadcms/next has Stored XSS in Admin Panel", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c"}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"version": "< 3.78.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T19:48:10.297Z"}, "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0."}], "source": {"advisory": "GHSA-mmxc-95ch-2j7c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:49:07.409157Z", "id": "CVE-2026-34748", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T16:24:38.880Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "225E9788-C205-479C-B3EE-7A57A468929F", "versionEndExcluding": "3.78.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0."}], "id": "CVE-2026-34748", "lastModified": "2026-04-13T19:13:21.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T20:16:27.040", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.78.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "payload", "source": "cna", "vendor": "payloadcms"}, "product": "payload", "vendor": "payloadcms"}], "analysis": {"en": {"generated_at": "2026-04-13T21:46:01.754927+00:00", "value": {"mitigation_remediation": ["Upgrade Payload to version\u202f3.78.0 or later.", "Restrict write access to trusted users only."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting in Admin Panel"}, "threat_synthesis": {"affected_systems": "The flaw affects the @payloadcms/next module of Payload CMS, a free, open\u2011source headless content management system. Any deployment running @payloadcms/next before version\u202f3.78.0 is impacted, regardless of the underlying Node.js environment.", "description_and_impact": "A vulnerability allows an authenticated user with write permissions in Payload\u2019s admin panel to store malicious JavaScript content. When a different authenticated user later views the stored content, the script runs in that user\u2019s browser, enabling arbitrary client\u2011side code execution. The weakness is a stored Cross\u2011Site Scripting flaw identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 8.7 classifies the issue as high severity. The EPSS score of less than\u202f1\u202f% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog, indicating no known widespread exploit. An attacker would need valid credentials with write access to a collection; once malicious content is stored, any authenticated user who views the content experiences script execution. Consequently, the risk is primarily significant for systems where write permissions are broadly granted or where compromised accounts exist."}}}}, "created": "2026-04-02T07:47:57.871637+00:00", "updated": "2026-04-14T16:42:08.869421+00:00", "vendors": ["payloadcms", "payloadcms$PRODUCT$payload"]}