HIGH🇵🇱 Wersja polska

CVE-2026-40168

CVSS 8.2v3.1pub. 2026-04-10upd. 2026-04-14

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
  • Gitroom Postiz

    APP
    Gitroom
    < 2.21.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SSRF
CWE
References

Related vulnerabilities

CVE-2026-42298CRITICAL10.0PL ✓ten sam produkt

Postiz: wykonanie kodu w workflow GitHub Actions przez złośliwy Pull Request

CVE-2026-42556HIGH8.9ten sam produkt

Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated ...

CVE-2026-40487HIGH8.9ten sam produkt

Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows ...

CVE-2026-34576HIGH8.3ten sam produkt

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url end...

CVE-2026-34577HIGH8.6ten sam produkt

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in Publ...