Description
A stored Cross-site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser.
Recommendation
Update the @payloadcms/next package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.78.0
- Patched version(s): 3.78.0
References
Related Issues
- Apostrophe has stored XSS via javascript: URL in Image Widget Link - CVE-2026-45011
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
- Pepr Has Overly Permissive RBAC ClusterRole in Admin Mode - CVE-2026-23634
- Payload's SQLite adapter Session Fixation vulnerability - @payloadcms/next - CVE-2025-4644
You might also like:
- Tags:
- npm
- @payloadcms/next
Anything's wrong? Let us know Last updated on April 06, 2026