CVE-2026-34577

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith'mp4', which is trivially bypassable by...

SQL Injection Vulnerability in weiphp 'Application\Home\Controller\PublicController.class.php' Page

weiphp is an open source, efficient, simple microsoft development platform. The weiphp 'Application\Home\Controller\PublicController.class.php' page has a SQL injection vulnerability. Due to the direct carry of $data = M gettablename $model 'id' -find $id ; resulting in the injection of the...