logo

Database

Server side cross-site scripting In @payloadcms/next

Description

@payloadcms/next has Stored XSS in Admin Panel

Impact

A stored Cross-site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser.

Consumers are affected if ALL of these are true:

    Payload version < v3.78.0

    At least one collection with versions enabled

    An authenticated user has create or update access to that collection

Patches

This vulnerability has been patched in v3.78.0. Output encoding has been added to prevent user-supplied content from being interpreted as markup.

Users should upgrade to v3.78.0 or later.

Workarounds

If consumers cannot upgrade immediately:

    Restrict create and update access to versioned collections to trusted roles only.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-347482. NVD-2026-347483. OSV-2026-347484. GHSA-mmxc-95ch-2j7c5. GCVE-2026-34748

References

1. https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.