CVE-2026-48783 Postiz has an unauthenticated billing-enforcement bypass via /public/modify-subscription

CVE-2026-48783 affects Postiz prior to version 2.21.8. An unauthenticated endpoint (/public/modify-subscription) accepted a signed token and applied subscription-enforcement side effects to the organization in the token’s claims without verifying the token’s intended purpose. The endpoint could n...