Gitroomhq Postiz-App vulnerabilities
11 known vulnerabilities affecting gitroomhq/postiz-app.
Total CVEs
11
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH4MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2026-42298P2CRITICALCVSS 9.8fixed in da448012dd87e94944cbe83a38e7fd023269ec462026-05-08
CVE-2026-42298 [CRITICAL] CWE-94 CVE-2026-42298: Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability
Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permission
nvd
CVE-2026-34577P3HIGHCVSS 8.6fixed in 2.21.32026-04-02
CVE-2026-34577 [HIGH] CWE-918 CVE-2026-34577: Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoi
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragm
nvd
CVE-2026-42556P3CRITICALCVSS 9.0v>= 2.21.6, < 2.21.72026-05-08
CVE-2026-42556 [CRITICAL] CWE-79 CVE-2026-42556: Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any auth
Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML
nvd
CVE-2026-40168P3HIGHCVSS 8.2fixed in 2.21.52026-04-10
CVE-2026-40168 [HIGH] CWE-918 CVE-2026-40168: Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vu
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that pas
nvd
CVE-2026-34576P3HIGHCVSS 7.7fixed in 2.21.32026-04-02
CVE-2026-34576 [HIGH] CWE-918 CVE-2026-34576: Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-fr
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) which is trivially bypassed by appending an image extension to any URL pa
nvd
CVE-2025-53641P3HIGHCVSS 8.2v>= 1.45.1, < 1.62.32025-07-11
CVE-2025-53641 [HIGH] CWE-918 CVE-2025-53641: Postiz is an AI social media scheduling tool. From 1.45.1 to 1.62.3, the Postiz frontend application
Postiz is an AI social media scheduling tool. From 1.45.1 to 1.62.3, the Postiz frontend application allows an attacker to inject arbitrary HTTP headers into the middleware pipeline. This flaw enables a server-side request forgery (SSRF) condition, which can be exploited to initiate unauthorized outbound requests from the server hosting the Postiz app
nvd
CVE-2026-40487P3CRITICALCVSS 9.0fixed in 2.21.62026-04-18
CVE-2026-40487 [CRITICAL] CWE-79 CVE-2026-40487: Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypa
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a Content-Type derived from their original extension
nvd
CVE-2026-42346P3MEDIUMCVSS 6.5v>= 2.16.6, < 2.21.72026-05-08
CVE-2026-42346 [MEDIUM] CWE-918 CVE-2026-42346: Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF
Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4–v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling
nvd
CVE-2026-34590P4MEDIUMCVSS 5.4fixed in 2.21.42026-04-02
CVE-2026-34590 [MEDIUM] CWE-918 CVE-2026-34590: Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint
Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) e
nvd
CVE-2026-48781CRITICALCVSS 9.9fixed in 2.21.82026-06-16
CVE-2026-48781 [CRITICAL] CWE-302 Postiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery
Postiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery
Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any
cvelistv5
CVE-2026-48783MEDIUMCVSS 4.8fixed in 2.21.82026-06-16
CVE-2026-48783 [MEDIUM] CWE-345 Postiz has an unauthenticated billing-enforcement bypass via /public/modify-subscription
Postiz has an unauthenticated billing-enforcement bypass via /public/modify-subscription
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose
cvelistv5