5.4
CVE-2026-34590
- EPSS 0.23%
- Veröffentlicht 02.04.2026 17:26:58
- Zuletzt bearbeitet 07.04.2026 21:21:53
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginPostiz: SSRF via Webhook Creation Endpoint Missing URL Safety Validation
Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.23% | 0.13 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.4 | 2.8 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
|
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-wc9c-7cv8-m225
https://github.com/gitroomhq/postiz-app/commit/5ae4c950db6aa516a31454b7a45b9480bca40a11
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.4