2 matches found
CVE-2026-48799 Postiz: Unauthenticated arbitrary lifetime PRO grant via Nowpayments webhook
Postiz is an AI social media scheduling tool. Prior to 2.21.8, Postiz fails to verify Nowpayments IPN callback authenticity against the payment provider shared secret and reads the target subscription identifier from the untrusted request body, allowing a low-privileged account to grant arbitrary...
CVE-2026-40487 Postiz Has Unrestricted File Upload via MIME Type Spoofing that Leads to Stored XSS
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the Content-Type header. The uploaded files are then served by nginx with a...