Skip to main content

Postiz App CVE-2026-48799

| EUVDEUVD-2026-44712 HIGH
Insufficient Verification of Data Authenticity (CWE-345)
2026-07-15 GitHub_M
7.7
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Primary rating from Vendor (GitHub_M) · only source for this CVE.

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 21:18 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 16:46 vuln.today
Analysis Generated
Jul 15, 2026 - 16:46 vuln.today
CVE Published
Jul 15, 2026 - 16:11 cve.org
HIGH 7.7

DescriptionCVE.org

Postiz is an AI social media scheduling tool. Prior to 2.21.8, Postiz fails to verify Nowpayments IPN callback authenticity against the payment provider shared secret and reads the target subscription identifier from the untrusted request body, allowing a low-privileged account to grant arbitrary organizations lifetime PRO subscriptions without payment. This issue is fixed in version 2.21.8.

AnalysisAI

Business-logic authentication bypass in Postiz self-hosted AI social media scheduler (gitroomhq/postiz-app) before 2.21.8 lets a low-privileged authenticated user grant any organization a lifetime PRO subscription without paying. The Nowpayments IPN (Instant Payment Notification) callback handler never validated the provider's shared-secret signature and trusted the subscription/organization identifier straight from the request body, so an attacker could forge a payment-confirmation callback. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours, inventory all Postiz self-hosted deployments and identify which instances have payment processing enabled, then verify that no unauthorized PRO grants have occurred. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48799 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy