CVE-2026-42556
Received Received - Intake
Stored XSS in Postiz AI Social Media Scheduler

Publication date: 2026-05-08

Last updated on: 2026-05-18

Assigner: GitHub, Inc.

Description
Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-18
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42556
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gitroom postiz 2.21.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users to store arbitrary HTML content that is rendered unsafely, potentially enabling cross-site scripting (XSS) attacks. Such attacks can lead to unauthorized access, data leakage, or manipulation of user data.

This can impact compliance with standards like GDPR and HIPAA, which require protection of personal data and secure handling of user information to prevent unauthorized disclosure or alteration.

Specifically, the risk of data exposure or integrity compromise due to this vulnerability could lead to violations of data protection and privacy requirements mandated by these regulations.

Executive Summary

This vulnerability exists in Postiz, an AI social media scheduling tool, in versions from 2.21.6 up to but not including 2.21.7. It allows any authenticated user who can create a post to store arbitrary HTML content by tampering with their own save request. The stored HTML is then rendered on the public preview page using dangerouslySetInnerHTML on the main application origin, which can lead to security risks.

Impact Analysis

The vulnerability can lead to serious security impacts because it allows an attacker to inject arbitrary HTML into post content that is rendered on the main application origin. This can result in cross-site scripting (XSS) attacks, potentially compromising user data, session tokens, or enabling malicious actions on behalf of other users. The CVSS score of 8.9 indicates a high severity with impacts on confidentiality, integrity, and availability.

Mitigation Strategies

The vulnerability has been patched in Postiz version 2.21.7. The immediate step to mitigate this vulnerability is to upgrade Postiz to version 2.21.7 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42556. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart