Postiz Security Advisories
Security Advisories published & maintained by the Postiz team
Pinned projects
2 highlighted by the maintainers.
Recent advisories
Latest published advisories scoped to Postiz.
- MediumPSA-2026-04-M1S0· April 28, 2026
TOCTOU DNS rebinding bypasses all SSRF URL validation paths
TOCTOU DNS rebinding bypasses all SSRF URL validation paths
- HighPSA-2026-T0E4W0· April 27, 2026
Postiz stored XSS in public preview page
Postiz stored XSS in public preview page
- CriticalPSA-2026-04-1YDY· April 24, 2026
Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev
- HighPSA-2026-04-6EZ5· April 22, 2026
Server-Side Request Forgery via Redirect Bypass in /api/public/stream
Server-Side Request Forgery via Redirect Bypass in /api/public/stream
- CriticalPSA-2026-04-5MVG· April 19, 2026
Unrestricted File Upload via MIME Type Spoofing Leads to Stored XSS
Unrestricted File Upload via MIME Type Spoofing Leads to Stored XSS
- MediumPSA-2026-04-HVBM· April 19, 2026
SSRF via Webhook Creation Endpoint Missing URL Safety Validation
SSRF via Webhook Creation Endpoint Missing URL Safety Validation
- MediumPSA-2026-04-KT4W· April 19, 2026
SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata
SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata
- HighPSA-2026-04-422G· April 19, 2026
Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check
Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check
- HighPSA-2026-04-SRGA· April 19, 2026
High-Severity SSRF in Postiz App
High-Severity SSRF in Postiz App
- HighPSA-2026-04-ZR1M· April 19, 2026
Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader (CWE-918)
Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader (CWE-918)