Executive Summary

CVE-2026-34748 is a stored Cross-Site Scripting (XSS) vulnerability found in the admin panel of the npm package @payloadcms/next, affecting versions prior to 3.78.0.

An authenticated user with write access to a collection can save malicious content that executes arbitrary scripts in the browsers of other users who view that content.

This happens because user-supplied input is not properly neutralized or encoded before being rendered as markup in the admin panel, allowing the malicious script to run.

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with write access to inject malicious scripts that execute in other users' browsers when they view the compromised content.

The impact includes high confidentiality and integrity risks, as attackers could steal sensitive information, hijack user sessions, or perform actions on behalf of other users.

The vulnerability has a high severity with a CVSS v3.1 base score of 8.7, indicating it is a serious security issue.

There is no impact on availability, but the scope of the attack can affect components beyond the initially vulnerable one.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is a stored Cross-Site Scripting (XSS) issue in the admin panel of @payloadcms/next prior to version 3.78.0. Detection involves identifying if your system is running a vulnerable version and if there are any malicious scripts stored in collections that execute when viewed by other users.

Since the vulnerability requires an authenticated user with write access to save malicious content, detection can include reviewing recent changes or content saved by users with such permissions for suspicious scripts or markup.

No specific commands are provided in the resources, but general approaches include:

• Check the installed version of @payloadcms/next to confirm if it is prior to 3.78.0.
• Audit content in versioned collections for suspicious or unexpected script tags or event handlers.
• Monitor HTTP traffic to the admin panel for unusual payloads or script injections.
• Use web vulnerability scanners that can detect stored XSS by simulating authenticated user input and observing output.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade @payloadcms/next to version 3.78.0 or later, where the vulnerability has been patched by adding proper output encoding.

If immediate upgrading is not possible, a temporary workaround is to restrict create and update permissions on versioned collections to trusted roles only, limiting the ability of potentially malicious users to save harmful content.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability described is a stored Cross-Site Scripting (XSS) issue that allows execution of arbitrary scripts in the browsers of users viewing malicious content. This can lead to unauthorized access to sensitive information or manipulation of data, which may impact confidentiality and integrity.

Such impacts can affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and modification. Failure to address this vulnerability could result in data breaches or unauthorized data exposure, potentially leading to non-compliance with these regulations.

Mitigation by upgrading to version 3.78.0 or later, which includes proper output encoding, is essential to maintain compliance and reduce the risk of exploitation.

Useful 0 Not Useful 0