CVE-2026-55596
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
08/07/2026
Last modified:
10/07/2026
Description
Plate is a rich-text editor with AI and shadcn/ui. From 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation, allowing a crafted Plate document to set a known video provider while keeping url as a javascript: iframe source that the registry MediaEmbedElement renders directly as an iframe src when a victim opens the document. This issue is fixed in version 53.1.4.
Impact
Base Score 3.x
8.70
Severity 3.x
HIGH
References to Advisories, Solutions, and Tools
- https://github.com/udecode/plate/commit/6214914ca811adf22d0ad503154494216eed68ba
- https://github.com/udecode/plate/pull/5014
- https://github.com/udecode/plate/releases/tag/v53.1.4
- https://github.com/udecode/plate/security/advisories/GHSA-qj6x-xx2h-8hvv
- https://github.com/udecode/plate/security/advisories/GHSA-qj6x-xx2h-8hvv



