Skip to main content

Nginx EUVD-2026-23634

| CVE-2026-40487 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-18 GitHub_M
XSS File Upload Nginx
8.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.9 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

8
Patch released
Apr 23, 2026 - 15:27 nvd
Patch available
Analysis Updated
Apr 18, 2026 - 02:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 02:22 vuln.today
cvss_changed
Patch available
Apr 18, 2026 - 02:01 EUVD
Analysis Generated
Apr 18, 2026 - 01:53 vuln.today
EUVD ID Assigned
Apr 18, 2026 - 01:45 euvd
EUVD-2026-23634
Analysis Generated
Apr 18, 2026 - 01:45 vuln.today
CVE Published
Apr 18, 2026 - 01:19 nvd
HIGH 8.9

DescriptionGitHub Advisory

Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the Content-Type header. The uploaded files are then served by nginx with a Content-Type derived from their original extension (text/html, image/svg+xml), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can lead to session riding, account takeover, and full compromise of other users' accounts. Version 2.21.6 contains a fix.

Articles & Coverage 1

POC CVE-2026-42208: Critical Pre-Auth SQL Injection in LiteLLM AI Gateway May 04, 2026

AnalysisAI

File upload validation bypass in Postiz social media scheduler (versions before 2.21.6) allows authenticated users to upload executable file types (HTML, SVG) with spoofed Content-Type headers, achieving stored XSS when nginx serves files using their original extensions. Attackers can hijack sessions and take over other user accounts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to Postiz
Delivery
Craft malicious HTML/SVG file
Exploit
Spoof Content-Type header during upload
Install
Server stores file with original extension
C2
Distribute link to victim users
Execute
Victim accesses uploaded file
Impact
Nginx serves as executable content
Step 8
XSS executes in victim browser
Step 9
Hijack session tokens
Step 10
Take over victim account
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires authenticated access to Postiz application with file upload privileges (PR:L indicates low-privilege user account sufficient). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is HIGH despite requiring authenticated access (PR:L) and user interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker with basic user privileges creates an account on the Postiz platform and navigates to a file upload feature (profile picture, media attachment, etc.). They craft a malicious HTML file containing JavaScript session hijacking code or an SVG image with embedded XSS payload. …
Remediation Upgrade immediately to Postiz version 2.21.6 or later, released by the vendor to address this vulnerability (https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.6). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Postiz deployments and confirm current version numbers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48746 CRITICAL
9.1 Jun 16

Authentication bypass in vLLM versions 0.3.0 through 0.21.x allows remote unauthenticated attackers to reach OpenAI-comp
CVE-2026-11311 HIGH
8.1 Jun 17

Configuration injection in NGINX Gateway Fabric (when paired with NGINX Plus as the data plane) allows an authenticated

CVE-2026-42055 HIGH
8.1 Jun 17

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects the ngx_http_proxy_v2_module and ngx_http_grpc_mo
CVE-2026-42530 HIGH
8.1 Jun 17

Use-after-free in NGINX Open Source's ngx_http_v3_module allows remote unauthenticated attackers to crash worker process
CVE-2026-53999 HIGH
7.7 Jun 12

Cross-tenant container deletion in the Radius Kubernetes controller (versions <= v0.57.1) allows a tenant with Deploymen

Share

EUVD-2026-23634 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy