Arbitrary HTML Injection in Postiz AI Social Media Tool
CVE-2026-42556

8.9HIGH

Key Information:

Vendor: Gitroomhq
Status: Postiz-app
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-42556?

The Postiz AI social media scheduling tool contains a vulnerability that allows authenticated users to store arbitrary HTML content in posts. By manipulating the save request during post creation, users can render this HTML on the public preview link. The stored HTML is displayed using dangerouslySetInnerHTML, which poses significant security risks. This flaw has been addressed in version 2.21.7, emphasizing the importance of upgrading to this version to mitigate any potential exploitation.

Affected Version(s)

postiz-app >= 2.21.6, < 2.21.7

References

https://github.com/gitroomhq/postiz-app/security/advisori...

x_refsource_CONFIRM

https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7

x_refsource_MISC

CVSS V3.1

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42556 Data

JSON

Gitroomhq

What is CVE-2026-42556?

Affected Version(s)

References

CVSS V3.1

Timeline