CVE-2026-34576

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...

CVE-2026-34577

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith'mp4', which is trivially bypassable by...

CVE-2026-34576

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...

CVE-2026-34577

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith'mp4', which is trivially bypassable by...

CVE-2026-34576

Postiz (AI social media scheduling tool) has a SSRF vulnerability in the POST /public/v1/upload-from-url endpoint prior to version 2.21.3. An authenticated API user can supply a URL, which is fetched server-side via axios.get() without SSRF protections; only file-extension validation exists (e.g....

EUVD-2026-18446

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...

PT-2026-29853

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith'mp4', which is trivially bypassable by...

PT-2026-29852

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...

CVE-2023-49744

Cross-Site Request Forgery CSRF vulnerability in Gift Up Gift Up Gift Cards for WordPress and WooCommerce.This issue affects Gift Up Gift Cards for WordPress and WooCommerce: from n/a through 2.21.3...

CVE-2025-14197

A security vulnerability has been detected in Verysync 微力同步 up to 2.21.3. The impacted element is an unknown function of the file /rest/f/api/resources/f96956469e7be39d of the component Web Administration Module. Such manipulation leads to information disclosure. The attack can be executed...

EUVD-2025-201606

A security vulnerability has been detected in Verysync 微力同步 up to 2.21.3. The impacted element is an unknown function of the file /rest/f/api/resources/f96956469e7be39d of the component Web Administration Module. Such manipulation leads to information disclosure. The attack can be executed...

CVE-2025-14198

A vulnerability was detected in Verysync 微力同步 2.21.3. This affects an unknown function of the file /safebrowsing/clientreport/download?key=dummytoken of the component Web Administration Module. Performing manipulation results in information disclosure. The attack is possible to be carried out...

CVE-2025-14199 Verysync 微力同步 Web Administration text.txt unrestricted upload

A flaw has been found in Verysync 微力同步 up to 2.21.3. This impacts an unknown function of the file /rest/f/api/resources/f96956469e7be39d/tmp/text.txt?override=false of the component Web Administration Module. Executing manipulation can lead to unrestricted upload. The attack may be performed from...

CVE-2025-14198

CVE-2025-14198 affects Verysync 微力同步 version 2.21.3, specifically the Web Administration Module’s file /safebrowsing/clientreport/download?key=dummytoken. The issue is an information disclosure caused by manipulation of that endpoint, with remote access possible. Public exploit appears to exist, ...

CVE-2025-14197 Verysync 微力同步 Web Administration f96956469e7be39d information disclosure

A security vulnerability has been detected in Verysync 微力同步 up to 2.21.3. The impacted element is an unknown function of the file /rest/f/api/resources/f96956469e7be39d of the component Web Administration Module. Such manipulation leads to information disclosure. The attack can be executed...

PT-2025-49410

A security vulnerability has been detected in Verysync 微力同步 up to 2.21.3. The impacted element is an unknown function of the file /rest/f/api/resources/f96956469e7be39d of the component Web Administration Module. Such manipulation leads to information disclosure. The attack can be executed...

Verysync 访问控制错误漏洞

Verysync is a private file synchronization and backup software from China-based Weili Synchronization Verysync. An access control error vulnerability exists in Verysync 2.21.3 and earlier versions, which stems from incorrect manipulation of the file /rest/f/api/resources/f96956469e7be39d in the...

EUVD-2023-53667

Malicious code in bioql PyPI...

EUVD-2025-30528

Malicious code in bioql PyPI...

CVE-2025-58654

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Michel - xiligroup dev xili-language xili-language allows DOM-Based XSS.This issue affects xili-language: from n/a through = 2.21.3...