Skip to main content

Payload EUVDEUVD-2026-18015

| CVE-2026-34748 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-01 security-advisories@github.com GHSA-mmxc-95ch-2j7c
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 01, 2026 - 20:27 euvd
EUVD-2026-18015
Analysis Generated
Apr 01, 2026 - 20:27 vuln.today
CVE Published
Apr 01, 2026 - 20:16 nvd
HIGH 8.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @payloadcms/next (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.78.0.

DescriptionGitHub Advisory

Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0.

AnalysisAI

Stored Cross-Site Scripting (XSS) in Payload CMS versions prior to 3.78.0 allows authenticated users with write permissions to inject malicious scripts into content that execute in other users' browsers when viewed in the admin panel. The vulnerability requires low privilege access (PR:L) and user interaction (UI:R), enabling attackers to compromise admin accounts with high confidentiality and integrity impact due to scope change (S:C). CVSS score of 8.7 reflects the elevated risk from privileged position abuse. No public exploit identified at time of analysis, though the technical details are publicly documented in GitHub Security Advisory GHSA-mmxc-95ch-2j7c.

Technical ContextAI

This vulnerability affects the @payloadcms/next package in Payload CMS, a Node.js-based headless content management system. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating insufficient output encoding or sanitization of user-supplied content before rendering in the admin interface. In headless CMS architectures, the admin panel is a privileged environment where content editors manage data; stored XSS here is particularly dangerous because it can target high-privilege users. The vulnerability exists in the content rendering pipeline where authenticated users can persist malicious JavaScript payloads that bypass input validation. When other administrators or editors view the affected content within the admin panel, the stored script executes in their browser context with their session privileges, enabling session hijacking, credential theft, or administrative action on behalf of the victim.

RemediationAI

Upgrade to Payload CMS version 3.78.0 or later, which includes patches to properly sanitize and encode user-supplied content before rendering in the admin panel. Organizations should apply this update to the @payloadcms/next package immediately, particularly in multi-user environments. As an interim mitigation, organizations can implement strict content security policies (CSP) to limit script execution in the admin panel, restrict write access to only highly trusted users, and audit existing content for suspicious JavaScript payloads. Review admin panel access logs for unusual content modification patterns and conduct a security audit of stored content created by users with write permissions prior to the patch. Refer to the vendor security advisory at https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c for additional implementation guidance and to confirm the fix addresses your deployment configuration.

Share

EUVD-2026-18015 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy