CVE-2026-34590

Exploit

EPSS 0.03%
Veröffentlicht 02.04.2026 17:26:58
Zuletzt bearbeitet 07.04.2026 21:21:53
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gitroom ≫ Postiz Version < 2.21.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.101

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-wc9c-7cv8-m225

Vendor Advisory

Exploit

Mitigation

https://github.com/gitroomhq/postiz-app/commit/5ae4c950db6aa516a31454b7a45b9480bca40a11

Patch

https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.4

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-34590

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34590

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34590

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34590