CVE-2026-34748: @payloadcms/next has Stored XSS in Admin Panel

April 1, 2026

A stored Cross-site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser.

Consumers are affected if ALL of these are true:

Payload version < v3.78.0
At least one collection with versions enabled
An authenticated user has create or update access to that collection

References

github.com/advisories/GHSA-mmxc-95ch-2j7c
github.com/payloadcms/payload
github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c
nvd.nist.gov/vuln/detail/CVE-2026-34748

Code Behaviors & Features

Detect and mitigate CVE-2026-34748 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →