Postiz App
Monthly
Business-logic authentication bypass in Postiz self-hosted AI social media scheduler (gitroomhq/postiz-app) before 2.21.8 lets a low-privileged authenticated user grant any organization a lifetime PRO subscription without paying. The Nowpayments IPN (Instant Payment Notification) callback handler never validated the provider's shared-secret signature and trusted the subscription/organization identifier straight from the request body, so an attacker could forge a payment-confirmation callback. No public exploit identified at time of analysis and the issue is not in CISA KEV; it was privately reported and fixed by removing the crypto-payment code path entirely.
Unauthenticated exploitation of Postiz's `/public/modify-subscription` endpoint allowed any caller in possession of a validly signed NowPayments callback token to trigger subscription enforcement side effects against their own organization - disabling team members, dropping integrations, and resetting the scheduled-post cron - without Postiz authentication. The flaw (CWE-345) stems from the NowPayments crypto payment integration: the endpoint verified the token's cryptographic signature but never validated its intended purpose or bound it to a specific subscription-modification context. Impact is strictly self-contained; the endpoint cannot be redirected at other tenants. No public exploit code and no CISA KEV listing have been identified at time of analysis. The issue is fixed in Postiz 2.21.8.
Privilege escalation to SUPERADMIN in Postiz (gitroomhq/postiz-app) versions prior to 2.21.8 allows any authenticated user to forge session JWTs and impersonate arbitrary organizations. The Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware blindly trusted every claim without re-resolving the user from the database. No public exploit identified at time of analysis, but the fix commit is public and the root cause is trivially reproducible from the patch diff.
Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7.
Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4-v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7.
Server-side request forgery in Postiz (gitroomhq postiz-app) versions prior to 2.21.5 allows unauthenticated remote attackers to access internal network resources and exfiltrate sensitive data via the /api/public/stream endpoint. The vulnerability exploits inadequate redirect validation: attackers supply public HTTPS URLs that pass initial validation but redirect server requests to private internal hosts, bypassing security controls. High confidentiality impact with potential service disruption. No public exploit identified at time of analysis.
Server-side request forgery (SSRF) in Postiz prior to version 2.21.4 allows authenticated users to create webhooks pointing to internal or private network addresses, which are then fetched without runtime validation when posts are published, enabling blind SSRF attacks against internal services. The vulnerability stems from inconsistent input validation: the webhook creation endpoint (POST /webhooks/) uses only basic URL format checking, while the update and test endpoints correctly enforce strict URL validation. CVSS 5.4 with EPSS exploitation probability reflects the requirement for authentication and limited direct impact, though the ability to target internal infrastructure represents meaningful risk.
Server-side request forgery in Postiz AI social media scheduling tool (versions < 2.21.3) allows unauthenticated remote attackers to read internal network resources and cloud metadata endpoints through the /public/stream proxy endpoint. The vulnerability bypasses trivial .mp4 validation via query parameters or URL fragments, enabling unauthorized access to internal services without authentication. No public exploit identified at time of analysis, but CVSS 8.6 reflects high confidentiality impact with network-level attack vector and low complexity. EPSS data not available, but the combination of no authentication requirement and cloud metadata access risk makes this a priority for organizations running Postiz in cloud environments.
Server-side request forgery (SSRF) in Postiz social media scheduling tool versions prior to 2.21.3 allows authenticated API users to fetch arbitrary URLs by exploiting the POST /public/v1/upload-from-url endpoint, which performs server-side URL fetching via axios without SSRF protections and relies solely on a bypassable file extension check. Attackers can retrieve internal network resources, cloud metadata, and internal service data, with responses captured and returned to the attacker. Vendor-released patch available in version 2.21.3.
Business-logic authentication bypass in Postiz self-hosted AI social media scheduler (gitroomhq/postiz-app) before 2.21.8 lets a low-privileged authenticated user grant any organization a lifetime PRO subscription without paying. The Nowpayments IPN (Instant Payment Notification) callback handler never validated the provider's shared-secret signature and trusted the subscription/organization identifier straight from the request body, so an attacker could forge a payment-confirmation callback. No public exploit identified at time of analysis and the issue is not in CISA KEV; it was privately reported and fixed by removing the crypto-payment code path entirely.
Unauthenticated exploitation of Postiz's `/public/modify-subscription` endpoint allowed any caller in possession of a validly signed NowPayments callback token to trigger subscription enforcement side effects against their own organization - disabling team members, dropping integrations, and resetting the scheduled-post cron - without Postiz authentication. The flaw (CWE-345) stems from the NowPayments crypto payment integration: the endpoint verified the token's cryptographic signature but never validated its intended purpose or bound it to a specific subscription-modification context. Impact is strictly self-contained; the endpoint cannot be redirected at other tenants. No public exploit code and no CISA KEV listing have been identified at time of analysis. The issue is fixed in Postiz 2.21.8.
Privilege escalation to SUPERADMIN in Postiz (gitroomhq/postiz-app) versions prior to 2.21.8 allows any authenticated user to forge session JWTs and impersonate arbitrary organizations. The Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware blindly trusted every claim without re-resolving the user from the database. No public exploit identified at time of analysis, but the fix commit is public and the root cause is trivially reproducible from the patch diff.
Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7.
Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4-v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7.
Server-side request forgery in Postiz (gitroomhq postiz-app) versions prior to 2.21.5 allows unauthenticated remote attackers to access internal network resources and exfiltrate sensitive data via the /api/public/stream endpoint. The vulnerability exploits inadequate redirect validation: attackers supply public HTTPS URLs that pass initial validation but redirect server requests to private internal hosts, bypassing security controls. High confidentiality impact with potential service disruption. No public exploit identified at time of analysis.
Server-side request forgery (SSRF) in Postiz prior to version 2.21.4 allows authenticated users to create webhooks pointing to internal or private network addresses, which are then fetched without runtime validation when posts are published, enabling blind SSRF attacks against internal services. The vulnerability stems from inconsistent input validation: the webhook creation endpoint (POST /webhooks/) uses only basic URL format checking, while the update and test endpoints correctly enforce strict URL validation. CVSS 5.4 with EPSS exploitation probability reflects the requirement for authentication and limited direct impact, though the ability to target internal infrastructure represents meaningful risk.
Server-side request forgery in Postiz AI social media scheduling tool (versions < 2.21.3) allows unauthenticated remote attackers to read internal network resources and cloud metadata endpoints through the /public/stream proxy endpoint. The vulnerability bypasses trivial .mp4 validation via query parameters or URL fragments, enabling unauthorized access to internal services without authentication. No public exploit identified at time of analysis, but CVSS 8.6 reflects high confidentiality impact with network-level attack vector and low complexity. EPSS data not available, but the combination of no authentication requirement and cloud metadata access risk makes this a priority for organizations running Postiz in cloud environments.
Server-side request forgery (SSRF) in Postiz social media scheduling tool versions prior to 2.21.3 allows authenticated API users to fetch arbitrary URLs by exploiting the POST /public/v1/upload-from-url endpoint, which performs server-side URL fetching via axios without SSRF protections and relies solely on a bypassable file extension check. Attackers can retrieve internal network resources, cloud metadata, and internal service data, with responses captured and returned to the attacker. Vendor-released patch available in version 2.21.3.