PatchSiren

udecode CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH udecode CVE published 2026-07-08

CVE-2026-55596

CVE-2026-55596 is a vulnerability in the Plate rich-text editor with AI and shadcn/ui. From version 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation. This allows a crafted Plate document to set a known video provider while keeping the URL as a javascript: iframe source that the registry MediaEmbedEle [truncated]