EUVD-2026-18015
GHSA-mmxc-95ch-2j7c
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
4Tags
Description
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0.
Analysis
Stored Cross-Site Scripting (XSS) in Payload CMS versions prior to 3.78.0 allows authenticated users with write permissions to inject malicious scripts into content that execute in other users' browsers when viewed in the admin panel. The vulnerability requires low privilege access (PR:L) and user interaction (UI:R), enabling attackers to compromise admin accounts with high confidentiality and integrity impact due to scope change (S:C). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Payload CMS deployments and confirm current versions against 3.78.0 baseline. Within 7 days: Restrict write permissions in Payload CMS to only trusted administrative staff and implement input validation/output encoding controls; review audit logs for suspicious content modifications. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today