CVE-2026-40168
published 2026-04-10CVE-2026-40168: Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the…
PriorityP350high8.2CVSS 3.1
AVNACLPRNUINSUCHINAL
EPSS
0.37%
29.0th percentile
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitroom | postiz | < 2.21.5 | 2.21.5 |
| gitroomhq | postiz-app | < 2.21.5 | 2.21.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
https://github.com/gitroomhq/postiz-app/commit/30e8b777098157362769226d1b46d83ad616cb06https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.5https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6wwhttps://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww
2026-04-10
Published