VYPR

Postiz

by Gitroom

Source repositories

CVEs (8)

  • CVE-2026-42298CriMay 8, 2026
    risk 0.58cvss 10.0epss 0.01

    Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build…

  • CVE-2026-42556HigMay 8, 2026
    risk 0.51cvss 8.9epss 0.00

    Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/?share=true to…

  • CVE-2026-40487HigApr 18, 2026
    risk 0.51cvss 8.9epss 0.00

    Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then…

  • CVE-2026-34577HigApr 2, 2026
    risk 0.49cvss 8.6epss 0.00

    Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is…

  • CVE-2026-40168HigApr 10, 2026
    risk 0.46cvss 8.2epss 0.00

    Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP…

  • CVE-2026-34576HigApr 2, 2026
    risk 0.43cvss 7.7epss 0.00

    Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.)…

  • CVE-2026-42346MedMay 8, 2026
    risk 0.35cvss 6.5epss 0.00

    Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4–v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but…

  • CVE-2026-34590MedApr 2, 2026
    risk 0.28cvss 5.4epss 0.00

    Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private…