CVE-2026-55596 in plate
Summary
by MITRE • 07/09/2026
Plate is a rich-text editor with AI and shadcn/ui. From 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation, allowing a crafted Plate document to set a known video provider while keeping url as a javascript: iframe source that the registry MediaEmbedElement renders directly as an iframe src when a victim opens the document. This issue is fixed in version 53.1.4.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
This vulnerability exists within Plate, a rich-text editor incorporating artificial intelligence capabilities and shadcn/ui components, specifically affecting versions 53.0.0 through 53.1.3. The flaw stems from improper validation of media embed metadata during the rendering process, creating a critical security risk that allows attackers to manipulate embedded content through crafted documents. The vulnerability manifests when the media embed renderer processes serialized provider or sourceUrl metadata obtained from useMediaState without performing adequate protocol validation on the URL structure.
The technical implementation of this flaw involves the MediaEmbedElement registry component directly using the provided sourceUrl as an iframe src attribute without proper sanitization or protocol verification. When a victim opens a maliciously crafted Plate document, the renderer trusts the embedded metadata and executes the javascript: protocol URL within an iframe context, effectively bypassing standard security restrictions that would normally prevent execution of javascript protocols in iframe sources. This represents a classic cross-site scripting vulnerability where the attacker can inject arbitrary javascript code that executes in the victim's browser context when they open the document.
The operational impact of this vulnerability is severe as it enables attackers to execute malicious code against users who open compromised documents, potentially leading to credential theft, session hijacking, or other malicious activities. The vulnerability specifically affects the media embedding functionality within Plate's rich-text editor environment, making it particularly dangerous for collaborative platforms where users frequently share and open documents from unknown sources. From a cybersecurity perspective, this issue aligns with CWE-79 Cross-site Scripting and follows ATT&CK technique T1203 Exploitation for Client Execution.
The fix implemented in version 53.1.4 addresses the core validation gap by introducing proper protocol validation checks on media URLs before rendering them as iframe sources. This mitigation ensures that only trusted protocols are accepted, preventing javascript: and other dangerous protocols from being executed within embedded content. Organizations should immediately update to version 53.1.4 or later to protect against exploitation attempts, while also implementing additional defensive measures such as document sanitization policies and user education about opening untrusted rich-text documents. The vulnerability demonstrates the importance of proper input validation in rich-text editors and highlights the need for comprehensive security testing of all components that process external content within web applications.