Lucene search
K

12 matches found

NVD
NVD
added 2026/04/10 8:16 p.m.5 views

CVE-2026-40168

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a...

8.2CVSS0.00371EPSS
Exploits1References3
EUVD
EUVD
added 2026/04/10 7:20 p.m.2 views

EUVD-2026-21571

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a...

8.2CVSS5.8AI score0.00371EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/10 7:20 p.m.19 views

CVE-2026-40168 Postiz has Server-Side Request Forgery via Redirect Bypass in /api/public/stream

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a...

8.2CVSS0.00371EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/04/10 7:20 p.m.4 views

CVE-2026-40168

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a...

8.2CVSS5.8AI score0.00371EPSS
Exploits1References4Affected Software1
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.12 views

Gitroom Postiz 代码问题漏洞

Gitroom Postiz is an open-source social media scheduling tool developed by Gitroom. Versions of Gitroom Postiz prior to 2.21.5 contained code vulnerabilities. These vulnerabilities stemmed from a server-side request forgeing vulnerability present in the/api/public/stream endpoint. The application...

8.2CVSS5.9AI score0.00371EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.8 views

PT-2026-32029

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a...

8.2CVSS5.8AI score0.00371EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/04/03 11:1 p.m.4 views

CVE-2026-34577

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith'mp4', which is trivially bypassable by...

8.6CVSS5.8AI score0.00474EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/02 5:24 p.m.3 views

CVE-2026-34577 Postiz: Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith'mp4', which is trivially bypassable by...

8.6CVSS5.8AI score0.00474EPSS
Exploits1References2
EUVD
EUVD
added 2026/04/02 5:24 p.m.3 views

EUVD-2026-18448

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith'mp4', which is trivially bypassable by...

8.6CVSS5.8AI score0.00474EPSS
Exploits1References2
CVE
CVE
added 2026/04/02 5:24 p.m.7 views

CVE-2026-34577

Postiz (AI social media scheduling) before version 2.21.3 was vulnerable to an unauthenticated SSRF via GET /public/stream. The endpoint proxies a user-supplied url parameter and only validates url.endsWith('mp4'), which is trivially bypassed by appending .mp4 in the parameter or URL fragment, al...

8.6CVSS5.8AI score0.00474EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/04/02 5:24 p.m.17 views

CVE-2026-34577 Postiz: Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith'mp4', which is trivially bypassable by...

8.6CVSS0.00474EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.8 views

PT-2026-29853

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith'mp4', which is trivially bypassable by...

8.6CVSS5.8AI score0.00474EPSS
Exploits1References5
Rows per page
Query Builder