CVE-2026-42556

CRITICAL WAF: High

CVSS 9.0 Published: 2026-05-08

CWE-79

Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7.

WAF Coverage Analysis

Cross-Site Scripting (XSS) High WAF Coverage

OWASP: A03:2021 Injection

941xxx - XSS / XXE

Affected Software

Vendor	Product	Version
gitroom	postiz	2.21.6

References

github.com (Product, Release Notes)
github.com (Vendor Advisory)

Back to CVE Database