PayloadCMS is an open-source headless content management system widely used for managing content in web applications. Prior to version 3.78.0, the @payloadcms/next package contained a stored Cross-Site Scripting (XSS) vulnerability in its admin panel. This vulnerability, identified as CVE-2026-34748 and classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), allows an authenticated user with write permissions on a collection to inject malicious JavaScript code into stored content. When another user with access views this content in the admin panel, the malicious script executes in their browser context. The vulnerability is characterized by a CVSS 3.1 score of 8.7, indicating high severity, with an attack vector of network (remote), low attack complexity, requiring privileges (authenticated user), and user interaction (viewing the content). The scope is changed, meaning the vulnerability affects resources beyond the initially compromised component. The impact includes high confidentiality and integrity loss, as attackers can steal session tokens, perform actions on behalf of other users, or manipulate data. Availability is not impacted. The vulnerability was publicly disclosed on April 1, 2026, and has been patched in version 3.78.0 of PayloadCMS. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk in environments where multiple users have write access to collections and use the admin panel.

This vulnerability can lead to severe consequences for organizations using vulnerable versions of PayloadCMS. Attackers with authenticated write access can inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, credential theft, unauthorized actions within the admin panel, and data manipulation. This compromises the confidentiality and integrity of the system and its data. Since the admin panel is a critical interface for content management, exploitation could disrupt content workflows and damage organizational reputation. The vulnerability does not directly affect availability but can indirectly cause operational disruptions. Organizations with multiple administrators or editors are at higher risk, especially if they do not enforce strict access controls or monitor content changes. The high CVSS score reflects the ease of exploitation once authenticated and the significant impact on security.

1. Upgrade PayloadCMS to version 3.78.0 or later immediately to apply the official patch addressing this vulnerability. 2. Enforce the principle of least privilege by restricting write access to collections only to trusted users who require it. 3. Implement rigorous input validation and sanitization on all user-generated content, especially in the admin panel, to prevent injection of malicious scripts. 4. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the admin interface. 5. Monitor and audit content changes regularly to detect suspicious or unexpected modifications. 6. Educate administrators and content editors about the risks of XSS and safe content handling practices. 7. Consider additional security controls such as multi-factor authentication (MFA) to reduce the risk of compromised credentials enabling exploitation. 8. If upgrading immediately is not feasible, apply temporary mitigations such as disabling write access for non-essential users and restricting admin panel access via network controls.