CVE-2026-40168
HIGHPostiz has Server-Side Request Forgery via Redirect Bypass in /api/public/stream
Title source: cnaDescription
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww
X_Refsource_Misc x_refsource_misc
https://github.com/gitroomhq/postiz-app/commit/30e8b777098157362769226d1b46d83ad616cb06
X_Refsource_Misc x_refsource_misc
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.5
Scores
CVSS v3
8.2
EPSS
0.0037
EPSS Percentile
28.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
gitroom/postiz
< 2.21.5
gitroomhq/postiz-app
< 2.21.5
Published
Apr 10, 2026
Tracked Since
Apr 11, 2026