EUVD-2026-18452
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3Tags
Description
Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4.
Analysis
Server-side request forgery (SSRF) in Postiz prior to version 2.21.4 allows authenticated users to create webhooks pointing to internal or private network addresses, which are then fetched without runtime validation when posts are published, enabling blind SSRF attacks against internal services. The vulnerability stems from inconsistent input validation: the webhook creation endpoint (POST /webhooks/) uses only basic URL format checking, while the update and test endpoints correctly enforce strict URL validation. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today