Postiz Security Vulnerabilities and Issues — Postiz CVE List

GitroomPostiz

7 matches found

CVE•added 2026/04/18 1:19 a.m.•17 views

CVE-2026-40487

Postiz is an AI social media scheduling tool. Before version 2.21.6, a file upload validation bypass lets any authenticated user upload HTML/SVG or other executable types by spoofing Content-Type, after which nginx serves them with a Content-Type derived from the original extension (text/html, im...

9CVSS5.9AI score0.00224EPSS

CVE•added 2026/04/10 7:20 p.m.•16 views

CVE-2026-40168

Postiz is affected by a Server-Side Request Forgery (SSRF) in the /api/public/stream endpoint prior to version 2.21.5. The vulnerability arises because the app validates the initially supplied URL and blocks direct private/internal hosts, but does not re-validate the final destination after HTTP ...

8.2CVSS5.8AI score0.00371EPSS

Web

CVE•added 2026/05/08 10:28 p.m.•15 views

CVE-2026-42556

Postiz (AI social media tool) is affected from v2.21.6 up to, but not including, v2.21.7. An authenticated user who can create posts can tamper their own save request to store arbitrary HTML in post content. When a user visits the public preview link /p/?share=true, the preview renders the stored...

9CVSS5.9AI score0.00258EPSS

Web

CVE•added 2026/05/08 10:24 p.m.•13 views

CVE-2026-42298

CVE-2026-42298 affects Postiz (AI social media scheduling tool). The issue arises in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml), where an unauthenticated user can cause arbitrary code execution during Docker image build by submitting a fork with a malic...

10CVSS6.1AI score0.00504EPSS

Web

CVE•added 2026/04/02 5:23 p.m.•12 views

CVE-2026-34576

Postiz (AI social media scheduling tool) has a SSRF vulnerability in the POST /public/v1/upload-from-url endpoint prior to version 2.21.3. An authenticated API user can supply a URL, which is fetched server-side via axios.get() without SSRF protections; only file-extension validation exists (e.g....

8.3CVSS5.8AI score0.00267EPSS

Web

CVE•added 2026/04/02 5:24 p.m.•4 views

CVE-2026-34577

Postiz (AI social media scheduling) before version 2.21.3 was vulnerable to an unauthenticated SSRF via GET /public/stream. The endpoint proxies a user-supplied url parameter and only validates url.endsWith('mp4'), which is trivially bypassed by appending .mp4 in the parameter or URL fragment, al...

8.6CVSS5.8AI score0.00474EPSS

Web

CVE•added 2026/04/02 5:26 p.m.•4 views

CVE-2026-34590

Postiz (AI social media scheduling tool) contains a vulnerability in the POST /webhooks/ endpoint prior to v2.21.4, where WebhooksDto validates the url with only @IsUrl() (format check) and lacks @IsSafeWebhookUrl, allowing blind SSRF because the orchestrator fetches the stored webhook URL withou...

5.4CVSS5.8AI score0.00226EPSS

Web