CVE-2026-34748

Published April 1st, 2026

View on NVD ↗

CVSS v3

8.7

HIGH

CVSS v2

N/A

Affected

PROJECT

Description

Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0.

payloadcms/payload

Payload is the open-source, fullstack Next.js framework, giving you instant backend superpowers. Get a full TypeScript backend and admin panel instantly. Use Payload as a headless CMS or for building powerful applications.

GitHub

43.2K