12 matches found
CVE-2026-40168
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a...
EUVD-2026-21571
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a...
CVE-2026-40168 Postiz has Server-Side Request Forgery via Redirect Bypass in /api/public/stream
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a...
CVE-2026-40168
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a...
Gitroom Postiz 代码问题漏洞
Gitroom Postiz is an open-source social media scheduling tool developed by Gitroom. Versions of Gitroom Postiz prior to 2.21.5 contained code vulnerabilities. These vulnerabilities stemmed from a server-side request forgeing vulnerability present in the/api/public/stream endpoint. The application...
PT-2026-32029
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a...
CVE-2026-34577
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith'mp4', which is trivially bypassable by...
CVE-2026-34577 Postiz: Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith'mp4', which is trivially bypassable by...
EUVD-2026-18448
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith'mp4', which is trivially bypassable by...
CVE-2026-34577
Postiz (AI social media scheduling) before version 2.21.3 was vulnerable to an unauthenticated SSRF via GET /public/stream. The endpoint proxies a user-supplied url parameter and only validates url.endsWith('mp4'), which is trivially bypassed by appending .mp4 in the parameter or URL fragment, al...
CVE-2026-34577 Postiz: Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith'mp4', which is trivially bypassable by...
PT-2026-29853
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith'mp4', which is trivially bypassable by...