CVE-2026-34748

Name of the Vulnerable Software and Affected Versions Payload versions prior to 3.78.0

Description Payload is a free and open source headless content management system. A stored Cross-Site Scripting (XSS) issue existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. The issue affects consumers if they are using a Payload version less than 3.78.0, have at least one collection with versions enabled, and an authenticated user has create or update access to that collection.

Recommendations Upgrade to version 3.78.0 or later. Restrict create and update access to versioned collections to trusted roles only.