Skip to main content

Postiz App

9 CVEs product

Monthly

CVE-2026-48799 HIGH PATCH This Week

Business-logic authentication bypass in Postiz self-hosted AI social media scheduler (gitroomhq/postiz-app) before 2.21.8 lets a low-privileged authenticated user grant any organization a lifetime PRO subscription without paying. The Nowpayments IPN (Instant Payment Notification) callback handler never validated the provider's shared-secret signature and trusted the subscription/organization identifier straight from the request body, so an attacker could forge a payment-confirmation callback. No public exploit identified at time of analysis and the issue is not in CISA KEV; it was privately reported and fixed by removing the crypto-payment code path entirely.

Information Disclosure Postiz App
NVD GitHub
CVSS 3.1
7.7
CVE-2026-48783 MEDIUM PATCH This Month

Unauthenticated exploitation of Postiz's `/public/modify-subscription` endpoint allowed any caller in possession of a validly signed NowPayments callback token to trigger subscription enforcement side effects against their own organization - disabling team members, dropping integrations, and resetting the scheduled-post cron - without Postiz authentication. The flaw (CWE-345) stems from the NowPayments crypto payment integration: the endpoint verified the token's cryptographic signature but never validated its intended purpose or bound it to a specific subscription-modification context. Impact is strictly self-contained; the endpoint cannot be redirected at other tenants. No public exploit code and no CISA KEV listing have been identified at time of analysis. The issue is fixed in Postiz 2.21.8.

Information Disclosure Postiz App
NVD GitHub
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-48781 CRITICAL PATCH Act Now

Privilege escalation to SUPERADMIN in Postiz (gitroomhq/postiz-app) versions prior to 2.21.8 allows any authenticated user to forge session JWTs and impersonate arbitrary organizations. The Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware blindly trusted every claim without re-resolving the user from the database. No public exploit identified at time of analysis, but the fix commit is public and the root cause is trivially reproducible from the patch diff.

Information Disclosure Postiz App
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-42556 HIGH This Week

Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7.

XSS Postiz App
NVD GitHub VulDB
CVSS 3.1
8.9
EPSS
0.0%
CVE-2026-42346 MEDIUM This Month

Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4-v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7.

SSRF Postiz App
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-40168 HIGH PATCH This Week

Server-side request forgery in Postiz (gitroomhq postiz-app) versions prior to 2.21.5 allows unauthenticated remote attackers to access internal network resources and exfiltrate sensitive data via the /api/public/stream endpoint. The vulnerability exploits inadequate redirect validation: attackers supply public HTTPS URLs that pass initial validation but redirect server requests to private internal hosts, bypassing security controls. High confidentiality impact with potential service disruption. No public exploit identified at time of analysis.

SSRF Postiz App
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-34590 MEDIUM PATCH This Month

Server-side request forgery (SSRF) in Postiz prior to version 2.21.4 allows authenticated users to create webhooks pointing to internal or private network addresses, which are then fetched without runtime validation when posts are published, enabling blind SSRF attacks against internal services. The vulnerability stems from inconsistent input validation: the webhook creation endpoint (POST /webhooks/) uses only basic URL format checking, while the update and test endpoints correctly enforce strict URL validation. CVSS 5.4 with EPSS exploitation probability reflects the requirement for authentication and limited direct impact, though the ability to target internal infrastructure represents meaningful risk.

SSRF Postiz App
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34577 HIGH PATCH This Week

Server-side request forgery in Postiz AI social media scheduling tool (versions < 2.21.3) allows unauthenticated remote attackers to read internal network resources and cloud metadata endpoints through the /public/stream proxy endpoint. The vulnerability bypasses trivial .mp4 validation via query parameters or URL fragments, enabling unauthorized access to internal services without authentication. No public exploit identified at time of analysis, but CVSS 8.6 reflects high confidentiality impact with network-level attack vector and low complexity. EPSS data not available, but the combination of no authentication requirement and cloud metadata access risk makes this a priority for organizations running Postiz in cloud environments.

SSRF Postiz App
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-34576 HIGH PATCH This Week

Server-side request forgery (SSRF) in Postiz social media scheduling tool versions prior to 2.21.3 allows authenticated API users to fetch arbitrary URLs by exploiting the POST /public/v1/upload-from-url endpoint, which performs server-side URL fetching via axios without SSRF protections and relies solely on a bypassable file extension check. Attackers can retrieve internal network resources, cloud metadata, and internal service data, with responses captured and returned to the attacker. Vendor-released patch available in version 2.21.3.

SSRF Postiz App
NVD GitHub
CVSS 4.0
8.3
EPSS
0.0%
CVSS 7.7
HIGH PATCH This Week

Business-logic authentication bypass in Postiz self-hosted AI social media scheduler (gitroomhq/postiz-app) before 2.21.8 lets a low-privileged authenticated user grant any organization a lifetime PRO subscription without paying. The Nowpayments IPN (Instant Payment Notification) callback handler never validated the provider's shared-secret signature and trusted the subscription/organization identifier straight from the request body, so an attacker could forge a payment-confirmation callback. No public exploit identified at time of analysis and the issue is not in CISA KEV; it was privately reported and fixed by removing the crypto-payment code path entirely.

Information Disclosure Postiz App
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Unauthenticated exploitation of Postiz's `/public/modify-subscription` endpoint allowed any caller in possession of a validly signed NowPayments callback token to trigger subscription enforcement side effects against their own organization - disabling team members, dropping integrations, and resetting the scheduled-post cron - without Postiz authentication. The flaw (CWE-345) stems from the NowPayments crypto payment integration: the endpoint verified the token's cryptographic signature but never validated its intended purpose or bound it to a specific subscription-modification context. Impact is strictly self-contained; the endpoint cannot be redirected at other tenants. No public exploit code and no CISA KEV listing have been identified at time of analysis. The issue is fixed in Postiz 2.21.8.

Information Disclosure Postiz App
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation to SUPERADMIN in Postiz (gitroomhq/postiz-app) versions prior to 2.21.8 allows any authenticated user to forge session JWTs and impersonate arbitrary organizations. The Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware blindly trusted every claim without re-resolving the user from the database. No public exploit identified at time of analysis, but the fix commit is public and the root cause is trivially reproducible from the patch diff.

Information Disclosure Postiz App
NVD GitHub
EPSS 0% CVSS 8.9
HIGH This Week

Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7.

XSS Postiz App
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4-v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7.

SSRF Postiz App
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Server-side request forgery in Postiz (gitroomhq postiz-app) versions prior to 2.21.5 allows unauthenticated remote attackers to access internal network resources and exfiltrate sensitive data via the /api/public/stream endpoint. The vulnerability exploits inadequate redirect validation: attackers supply public HTTPS URLs that pass initial validation but redirect server requests to private internal hosts, bypassing security controls. High confidentiality impact with potential service disruption. No public exploit identified at time of analysis.

SSRF Postiz App
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Server-side request forgery (SSRF) in Postiz prior to version 2.21.4 allows authenticated users to create webhooks pointing to internal or private network addresses, which are then fetched without runtime validation when posts are published, enabling blind SSRF attacks against internal services. The vulnerability stems from inconsistent input validation: the webhook creation endpoint (POST /webhooks/) uses only basic URL format checking, while the update and test endpoints correctly enforce strict URL validation. CVSS 5.4 with EPSS exploitation probability reflects the requirement for authentication and limited direct impact, though the ability to target internal infrastructure represents meaningful risk.

SSRF Postiz App
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Server-side request forgery in Postiz AI social media scheduling tool (versions < 2.21.3) allows unauthenticated remote attackers to read internal network resources and cloud metadata endpoints through the /public/stream proxy endpoint. The vulnerability bypasses trivial .mp4 validation via query parameters or URL fragments, enabling unauthorized access to internal services without authentication. No public exploit identified at time of analysis, but CVSS 8.6 reflects high confidentiality impact with network-level attack vector and low complexity. EPSS data not available, but the combination of no authentication requirement and cloud metadata access risk makes this a priority for organizations running Postiz in cloud environments.

SSRF Postiz App
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Server-side request forgery (SSRF) in Postiz social media scheduling tool versions prior to 2.21.3 allows authenticated API users to fetch arbitrary URLs by exploiting the POST /public/v1/upload-from-url endpoint, which performs server-side URL fetching via axios without SSRF protections and relies solely on a bypassable file extension check. Attackers can retrieve internal network resources, cloud metadata, and internal service data, with responses captured and returned to the attacker. Vendor-released patch available in version 2.21.3.

SSRF Postiz App
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy