HIGH
udecode
CVE published 2026-07-08
CVE-2026-55596
CVE-2026-55596 is a vulnerability in the Plate rich-text editor with AI and shadcn/ui. From version 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation. This allows a crafted Plate document to set a known video provider while keeping the URL as a javascript: iframe source that the registry MediaEmbedEle [truncated]