Postiz Security Advisories
Security Advisories published & maintained by the Postiz team
Pinned projects
2 highlighted by the maintainers.
Recent advisories
Latest published advisories scoped to Postiz.
- MediumPSA-2026-NWZN9J· June 22, 2026
Insufficient verification of lifetime-deal redemption codes allows forgery of permanent paid subscriptions
- MediumPSA-2026-Q3TCPK· May 23, 2026
Unauthenticated arbitrary lifetime PRO grant via Nowpayments webhook
- MediumPSA-2026-WWFR8X· May 22, 2026
Unauthenticated billing-enforcement bypass via /public/modify-subscription
- HighPSA-2026-2CAQ96· May 22, 2026
SUPERADMIN takeover via Skool-provider JWT forgery
Attackers can exploit the skool-provider JWT sign process to generate a JWT token with isSuperAdmin: true
- MediumPSA-2026-04-M1S0· April 28, 2026
TOCTOU DNS rebinding bypasses all SSRF URL validation paths
TOCTOU DNS rebinding bypasses all SSRF URL validation paths
- HighPSA-2026-T0E4W0· April 27, 2026
Postiz stored XSS in public preview page
Postiz stored XSS in public preview page
- CriticalPSA-2026-04-1YDY· April 24, 2026
Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev
- HighPSA-2026-04-6EZ5· April 22, 2026
Server-Side Request Forgery via Redirect Bypass in /api/public/stream
Server-Side Request Forgery via Redirect Bypass in /api/public/stream
- CriticalPSA-2026-04-5MVG· April 19, 2026
Unrestricted File Upload via MIME Type Spoofing Leads to Stored XSS
Unrestricted File Upload via MIME Type Spoofing Leads to Stored XSS
- MediumPSA-2026-04-HVBM· April 19, 2026
SSRF via Webhook Creation Endpoint Missing URL Safety Validation
SSRF via Webhook Creation Endpoint Missing URL Safety Validation