GHSA-mmxc-95ch-2j7c

Source

https://github.com/advisories/GHSA-mmxc-95ch-2j7c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mmxc-95ch-2j7c/GHSA-mmxc-95ch-2j7c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mmxc-95ch-2j7c

Aliases

CVE-2026-34748

Published

2026-04-01T21:24:22Z

Modified

2026-04-06T17:05:23.541316Z

Severity

8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

@payloadcms/next has Stored XSS in Admin Panel

Details

Impact

A stored Cross-site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser.

Consumers are affected if ALL of these are true:

Payload version < v3.78.0
At least one collection with versions enabled
An authenticated user has create or update access to that collection

Patches

This vulnerability has been patched in v3.78.0. Output encoding has been added to prevent user-supplied content from being interpreted as markup.

Users should upgrade to v3.78.0 or later.

Workarounds

If consumers cannot upgrade immediately:

Restrict create and update access to versioned collections to trusted roles only.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:24:22Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2026-04-01T20:16:27Z"
}

References

Affected packages

npm / @payloadcms/next

Package

Name: @payloadcms/next; View open source insights on deps.dev
Purl: pkg:npm/%40payloadcms/next

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.78.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mmxc-95ch-2j7c/GHSA-mmxc-95ch-2j7c.json"