CVE-2026-42556 — HIGH (8.9)

Vulnerability Description

Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7.

CVSS Score

8.9

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Gitroom	Postiz	2.21.6

Related Weaknesses (CWE)

CWE-79

References

https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7ProductRelease Notes
https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-hhxq-3wg7-4rj8Vendor Advisory

FAQ

What is CVE-2026-42556?

CVE-2026-42556 is a vulnerability with a CVSS score of 8.9 (HIGH). Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own...

How severe is CVE-2026-42556?

CVE-2026-42556 has been rated HIGH with a CVSS base score of 8.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-42556?

Check the references section above for vendor advisories and patch information. Affected products include: Gitroom Postiz.