CVE-2026-42556
Stored XSS in Postiz AI Social Media Scheduler
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| postiz | postiz | to 2.21.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Postiz, an AI social media scheduling tool, in versions from 2.21.6 up to but not including 2.21.7. It allows any authenticated user who can create a post to store arbitrary HTML content by tampering with their own save request. The stored HTML is then rendered on the public preview page using dangerouslySetInnerHTML on the main application origin, which can lead to security risks.
How can this vulnerability impact me? :
The vulnerability can lead to serious security impacts because it allows an attacker to inject arbitrary HTML into post content that is rendered on the main application origin. This can result in cross-site scripting (XSS) attacks, potentially compromising user data, session tokens, or enabling malicious actions on behalf of other users. The CVSS score of 8.9 indicates a high severity with impacts on confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in Postiz version 2.21.7. The immediate step to mitigate this vulnerability is to upgrade Postiz to version 2.21.7 or later.