CVE-2026-42556

Published: May 8, 2026Modified: May 18, 2026

9.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Exploitability: 2.3 / Impact: 6.0

Source: NVD

Description

Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7.

Affected (1)

Products: Gitroom: Postiz

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gitroom Postiz	Version 2.21.6

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-hhxq-3wg7-4rj8

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.