CVE-2026-55596
Received Received - Intake

Media Embed XSS in Plate Editor via Unsafe URL Handling

Vulnerability report for CVE-2026-55596, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Plate is a rich-text editor with AI and shadcn/ui. From 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation, allowing a crafted Plate document to set a known video provider while keeping url as a javascript: iframe source that the registry MediaEmbedElement renders directly as an iframe src when a victim opens the document. This issue is fixed in version 53.1.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Plate rich-text editor versions from 53.0.0 up to 53.1.4. The issue arises because the media embed renderer trusts serialized provider or sourceUrl metadata without properly validating the protocol of the media URL. Specifically, it skips the parseMediaUrl protocol validation, which allows an attacker to craft a Plate document that sets a known video provider but uses a javascript: iframe source URL. When a victim opens this document, the MediaEmbedElement registry renders this malicious iframe source directly, potentially leading to execution of malicious scripts.

Impact Analysis

This vulnerability can have serious security impacts. Because the media embed renderer can be tricked into rendering a malicious iframe with a javascript: URL, it can lead to cross-site scripting (XSS) attacks. This means an attacker could execute arbitrary scripts in the context of the victim's browser when they open the crafted document. The CVSS score of 8.7 indicates a high severity with potential for high confidentiality and integrity impact, although availability is not affected.

Mitigation Strategies

To mitigate this vulnerability, update the Plate rich-text editor to version 53.1.4 or later, where the issue is fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55596. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart