CVE-2026-42556 HIGH

CVE-2026-42556: Postiz stored XSS in public preview page

Vendor Gitroomhq

Product postiz-app

Weakness CWE-79 · XSS

Published May 8, 2026

Last update May 13, 2026

View on NVD All CVEs

CVSS base score

8.9/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7.

Key dates

02Disclosure timeline

May 8, 2026 CVE published

May 13, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-42556 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2022-1432 Cross-site Scripting (XSS) - Generic in octoprint/octoprint CVE-2025-23899 WordPress Bookalet plugin <= 1.0.3 - Cross Site Scripting (XSS) vulnerability CVE-2025-10557 Stored Cross-site Scripting (XSS) vulnerability affecting Issue Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x CVE-2025-13232 projectsend File Editor/Custom Download Aliases cross site scripting CVE-2026-45494 Microsoft Edge (Chromium-based) Spoofing Vulnerability