CVE-2026-42556

Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7.

CVSS v3 8.9 HIGH

8.9^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7	Product Release Notes
https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-hhxq-3wg7-4rj8	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gitroom:postiz:2.21.6:*:*:*:*:*:*:*

History

18 May 2026, 14:27

Type	Values Removed	Values Added
References	~~() https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7 -~~	() https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7 - Product, Release Notes
References	~~() https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-hhxq-3wg7-4rj8 -~~	() https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-hhxq-3wg7-4rj8 - Vendor Advisory
CPE		cpe:2.3:a:gitroom:postiz:2.21.6:::::::*
First Time		Gitroom Gitroom postiz

08 May 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-08 23:16

Updated : 2026-05-18 14:27

NVD link : CVE-2026-42556

Mitre link : CVE-2026-42556

CVE.ORG link : CVE-2026-42556

JSON object : View

Products Affected

gitroom

postiz

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-42556", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2026-05-08T23:16:39.373", "references": [{"url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-hhxq-3wg7-4rj8", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7."}], "lastModified": "2026-05-18T14:27:09.653", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitroom:postiz:2.21.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "65A2787F-5E06-4B4B-A20F-32F4EB215016"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}