๐Ÿ” CVE Alert

CVE-2026-55596

HIGH 8.7

Plate: Media embed provider metadata can bypass URL sanitization and execute iframe JavaScript

CVSS Score
8.7
EPSS Score
0.2%
EPSS Percentile
15th

Plate is a rich-text editor with AI and shadcn/ui. From 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation, allowing a crafted Plate document to set a known video provider while keeping url as a javascript: iframe source that the registry MediaEmbedElement renders directly as an iframe src when a victim opens the document. This issue is fixed in version 53.1.4.

CWE CWE-79
Vendor udecode
Product plate
Published Jul 8, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for udecode plate

Be the first to know when new high vulnerabilities affecting udecode plate are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

udecode / plate
>= 53.0.0, < 53.1.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/udecode/plate/security/advisories/GHSA-qj6x-xx2h-8hvv github.com: https://github.com/udecode/plate/pull/5014 github.com: https://github.com/udecode/plate/commit/6214914ca811adf22d0ad503154494216eed68ba github.com: https://github.com/udecode/plate/releases/tag/v53.1.4