CVE-2026-42556 Gitroom CVE debrief

Who should care

Organizations running self-hosted Postiz instances; security teams monitoring social media management platforms; developers using React applications with dangerouslySetInnerHTML

Technical summary

The vulnerability exists in Postiz's post creation flow where client-side request tampering allows authenticated users to bypass content sanitization and store arbitrary HTML. The public preview endpoint /p/<postId>?share=true renders this content using React's dangerouslySetInnerHTML prop without adequate sanitization, executing attacker-controlled scripts in the context of the main application origin. This creates a stored XSS condition exploitable through social engineering distribution of preview links.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Postiz to version 2.21.7 or later
• Review application logs for suspicious post content containing script tags or event handlers in the disclosure-to-patch window
• Implement Content Security Policy headers to mitigate impact of any residual XSS vectors
• Audit user accounts with post creation privileges for anomalous activity
• Consider input sanitization layers for post content regardless of client-side validation

Evidence notes

NVD analyzed status; GitHub Security Advisory GHSA-hhxq-3wg7-4rj8; vendor release notes confirm patch in v2.21.7. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L. CWE-79 classification.

Official resources