CVE-2026-40168
- EPSS 0.04%
- Veröffentlicht 10.04.2026 19:20:16
- Zuletzt bearbeitet 14.04.2026 20:09:03
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the ...
CVE-2026-34590
- EPSS 0.03%
- Veröffentlicht 02.04.2026 17:26:58
- Zuletzt bearbeitet 07.04.2026 21:21:53
Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that b...
CVE-2026-34577
- EPSS 0.08%
- Veröffentlicht 02.04.2026 17:24:33
- Zuletzt bearbeitet 07.04.2026 21:21:47
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.e...
CVE-2026-34576
- EPSS 0.04%
- Veröffentlicht 02.04.2026 17:23:14
- Zuletzt bearbeitet 07.04.2026 21:21:43
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file exten...