Description
A stored Cross-site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser.
Recommendation
Update the @payloadcms/next package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.78.0
- Patched version(s): 3.78.0
References
Related Issues
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
- Apostrophe has stored XSS via javascript: URL in Image Widget Link - CVE-2026-45011
- Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
- Auth0 Next.js SDK has Improper Proxy Cache Lookup - CVE-2026-40155
You might also like:
- Tags:
- npm
- @payloadcms/next
Anything's wrong? Let us know Last updated on April 06, 2026