Description
Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7.
Published: 2026-05-08
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Postiz, an AI social media scheduling tool, allows any authenticated user to embed arbitrary HTML into post content. During the period before version 2.21.7, the preview page renders that stored HTML using dangerouslySetInnerHTML on the main application origin. This flaw enables an attacker to inject and execute client‑side scripts in the browser of any user who accesses the public preview link, potentially stealing session data, performing credential theft, or propagating malicious content.

Affected Systems

The vulnerability affects GitroomHQ Postiz App version 2.21.6 and any earlier releases up to just before 2.21.7. Users who can create posts are able to exploit the flaw by tampering with their save request and then sending the resulting preview URL to another user.

Risk and Exploitability

The CVSS score of 8.9 categorizes this as a high‑severity issue. The EPSS score is not available, and it is not listed in the CISA KEV catalog. Attackers only need authenticated access to create a post and the ability to share the preview link, making the exploitation path straightforward. The stored XSS could execute arbitrary code in the victim’s browser without requiring additional privileges or complex conditions.

Generated by OpenCVE AI on May 8, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Postiz to version 2.21.7 or later
  • If upgrading is delayed, restrict public preview links to users with verified roles and sanitize the preview page’s content on the server side
  • Implement input validation to block raw HTML in post content and enforce a stricter Content Security Policy to mitigate any remaining XSS vectors

Generated by OpenCVE AI on May 8, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Gitroomhq
Gitroomhq postiz-app
Vendors & Products Gitroomhq
Gitroomhq postiz-app

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7.
Title Postiz stored XSS in public preview page
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L'}

Subscriptions

Gitroomhq Postiz-app
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T22:28:33.086Z

Reserved: 2026-04-28T16:56:50.192Z

Link: CVE-2026-42556

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T23:16:39.373

Modified: 2026-05-08T23:16:39.373

Link: CVE-2026-42556

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:30:15Z

Weaknesses