CVE-2026-34748

High

Published: 01 April 2026

Published

01 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0004 12.6th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34748 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Payloadcms Payload. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to JavaScript (T1059.007) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Filters malicious scripts from information outputs in the admin panel to prevent execution when authenticated users view stored content.

SI-10 Information Input Validation good match

prevent

Validates inputs to collections to block injection and storage of malicious XSS payloads by authenticated users with write access.

SI-2 Flaw Remediation good match

prevent

Remediates the specific stored XSS flaw by requiring timely patching to Payload CMS version 3.78.0 or later.

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1056.001 Keylogging Collection

Adversaries may log user keystrokes to intercept credentials as the user types them.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Stored XSS enables injection and execution of arbitrary JavaScript in the admin browser context (T1059.007), directly facilitating keylogging (T1056.001) and web session cookie theft (T1539) as described.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content…

that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0.

Deeper analysisAI

CVE-2026-34748 is a stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Payload, a free and open-source headless content management system. The issue resides in the admin panel of the @payloadcms/next package prior to version 3.78.0. It allows malicious scripts to be embedded in saved content within collections, with a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity after scope change.

An authenticated attacker with write access to a collection can exploit this by injecting and saving malicious payloads. When another authenticated user, such as an admin, views the affected content in the admin panel, the script executes in their browser context. This enables potential theft of session cookies, keystroke logging, or further client-side attacks, though it requires user interaction to view the content.

The vulnerability has been patched in Payload version 3.78.0. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/payloadcms/payload/security/advisories/GHSA-mmxc-95ch-2j7c.