High severity8.9NVD Advisory· Published May 8, 2026· Updated May 18, 2026
CVE-2026-42556
CVE-2026-42556
Description
Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- Range: >=2.21.6, <2.21.7
Patches
Vulnerability mechanics
References
2- github.com/gitroomhq/postiz-app/security/advisories/GHSA-hhxq-3wg7-4rj8nvdVendor Advisory
- github.com/gitroomhq/postiz-app/releases/tag/v2.21.7nvdProductRelease Notes
News mentions
0No linked articles in our index yet.