Postiz Security Advisories

Published advisories

14 advisories published under Postiz.

PSA-2026-Q3TCPKCVE-2026-487992026-05-23Postiz App
Unauthenticated arbitrary lifetime PRO grant via Nowpayments webhook
Medium
PSA-2026-WWFR8XCVE-2026-487832026-05-22Postiz App
Unauthenticated billing-enforcement bypass via /public/modify-subscription
Medium
PSA-2026-2CAQ96CVE-2026-487812026-05-22Postiz App
SUPERADMIN takeover via Skool-provider JWT forgery
Attackers can exploit the skool-provider JWT sign process to generate a JWT token with isSuperAdmin: true
High
PSA-2026-04-M1S0CVE-2026-423462026-04-28Postiz App
TOCTOU DNS rebinding bypasses all SSRF URL validation paths
TOCTOU DNS rebinding bypasses all SSRF URL validation paths
Medium
PSA-2026-T0E4W0CVE-2026-425562026-04-27Postiz App
Postiz stored XSS in public preview page
Postiz stored XSS in public preview page
High
PSA-2026-04-1YDYCVE-2026-422982026-04-24Postiz App
Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev
Critical
PSA-2026-04-6EZ5CVE-2026-401682026-04-22Postiz App
Server-Side Request Forgery via Redirect Bypass in /api/public/stream
Server-Side Request Forgery via Redirect Bypass in /api/public/stream
High
PSA-2026-04-5MVGCVE-2026-00032026-04-19Postiz App
Unrestricted File Upload via MIME Type Spoofing Leads to Stored XSS
Unrestricted File Upload via MIME Type Spoofing Leads to Stored XSS
Critical
PSA-2026-04-HVBMCVE-2026-345902026-04-19Postiz App
SSRF via Webhook Creation Endpoint Missing URL Safety Validation
SSRF via Webhook Creation Endpoint Missing URL Safety Validation
Medium
PSA-2026-04-KT4WCVE-2026-345762026-04-19Postiz App
SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata
SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata
Medium
PSA-2026-04-422GCVE-2026-345772026-04-19Postiz App
Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check
Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check
High
PSA-2026-04-SRGACVE-2024-343512026-04-19Postiz App
High-Severity SSRF in Postiz App
High-Severity SSRF in Postiz App
High
PSA-2026-04-ZR1M2026-04-19Postiz App
Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader (CWE-918)
Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader (CWE-918)
High
PSA-2026-04-PY6VCVE-2025-536412026-04-19Postiz App
Header mutation in middleware facilitates SSRF
Header mutation in middleware facilitates SSRF
High