20 matches found
CVE-2026-34576
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...
CVE-2026-34576 Postiz: SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...
CVE-2026-34576
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...
CVE-2026-34576
Postiz (AI social media scheduling tool) has a SSRF vulnerability in the POST /public/v1/upload-from-url endpoint prior to version 2.21.3. An authenticated API user can supply a URL, which is fetched server-side via axios.get() without SSRF protections; only file-extension validation exists (e.g....
EUVD-2026-18446
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...
CVE-2026-34576 Postiz: SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...
Gitroom Postiz 代码问题漏洞
Gitroom Postiz is an open-source social media scheduling tool developed by Gitroom. Versions of Gitroom Postiz prior to 2.21.3 contained code vulnerabilities. These vulnerabilities stemmed from the lack of server-side request forgery protection in the POST /public/v1/upload-from-url endpoint, whi...
PT-2026-29852
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...
CVE-2021-33213
An SSRF vulnerability in the "Upload from URL" feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to retrieve HTTP and FTP files from the internal server network by inserting an internal address...
PT-2025-36946
Name of the Vulnerable Software and Affected Versions: halo versions prior to 2.20.17 Description: The software is vulnerable to a server-side request forgery SSRF issue. The vulnerability exists in the /apis/uc.api.storage.halo.run/v1alpha1/attachments/-/upload-from-url API endpoint...
CVE-2021-39195
Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in "Upload from URL" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been...
Server side request forgery (ssrf)
Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in "Upload from URL" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been...
CVE-2021-33213
An SSRF vulnerability in the "Upload from URL" feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to retrieve HTTP and FTP files from the internal server network by inserting an internal address...
Server side request forgery (ssrf)
An SSRF vulnerability in the "Upload from URL" feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to retrieve HTTP and FTP files from the internal server network by inserting an internal address...
CVE-2021-33213
The CVE-2021-33213 entry documents an SSRF in Elements-IT HTTP Commander 5.3.3, specifically in the Upload from URL feature. When authenticated, an attacker can supply an internal address to retrieve HTTP/FTP resources from the internal network, exposing internal resources. Root cause: SSRF in th...
CVE-2021-33213
An SSRF vulnerability in the "Upload from URL" feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to retrieve HTTP and FTP files from the internal server network by inserting an internal address...
CVE-2019-16790
In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted...
Remote code execution
In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted...
CVE-2019-16790 Remote Code Execution in Tiny File Manager
In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted...
CVE-2019-16790
In Tiny File Manager, versions prior to 2.3.9 are affected by a remote code execution vulnerability exploitable via Upload from URL and Edit/Rename operations. The issue impacts authenticated users, with affected components being the Upload from URL and file-edit/rename paths. Root cause details ...