CVE-2026-40168
CVE-2026-40168
8.2
HighPublished:
Last updated:
Source:security-advisories@github.com
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- None
- Availability
- Low
Description
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource.
References
security-advisories@github.com
https://github.com/gitroomhq/postiz-app/commit/30e8b777098157362769226d1b46d83ad616cb06security-advisories@github.com
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.5security-advisories@github.com
https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww