4 matches found
CVE-2026-42298
Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow .github/workflows/pr-docker-build.yml allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a...
CVE-2026-42346 Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validation paths
Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4–v2.21.6 share a fundamental TOCTOU Time-of-Check-Time-of-Use vulnerability: isSafePublicHttpsUrl resolves DNS to validate the target IP, but subsequent fetch calls...
CVE-2026-40168
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a...
CVE-2026-40168 Postiz has Server-Side Request Forgery via Redirect Bypass in /api/public/stream
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a...