CVE-2026-40487

HIGH

Postiz Has Unrestricted File Upload via MIME Type Spoofing that Leads to Stored XSS

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-40487. PoCs published by adminlove520, Astaruf, 0xBlackash.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-40487, which involves a MIME-type spoofing vulnerability in Postiz leading to arbitrary file upload and stored XSS. The exploit chain allows an attacker to upload a malicious SVG file with a spoofed Content-Type header, leading to session hijacking and account takeover.

Description

Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a Content-Type derived from their original extension (`text/html`, `image/svg+xml`), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can lead to session riding, account takeover, and full compromise of other users' accounts. Version 2.21.6 contains a fix.

Exploits (3)

github WORKING POC 4 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-40487

This repository contains a functional exploit for CVE-2026-40487, which involves a MIME-type spoofing vulnerability in Postiz leading to arbitrary file upload and stored XSS. The exploit chain allows an attacker to upload a malicious SVG file with a spoofed Content-Type header, leading to session hijacking and account takeover.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Postiz <= 2.21.5
Auth required
Prerequisites: low-privileged attacker account · victim interaction to open a crafted URL
devstral-2 · analyzed May 13, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Astaruf · poc
https://github.com/Astaruf/CVE-2026-40487

This repository contains a functional exploit for CVE-2026-40487, which leverages MIME-type spoofing to upload malicious SVG files, leading to stored XSS and account takeover in Postiz <= 2.21.5. The PoC includes detailed attack modes for exfiltration, privilege escalation, sabotage, and backdoor creation.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Postiz <= 2.21.5
Auth required
Prerequisites: valid attacker credentials · target URL · victim interaction to open malicious URL
devstral-2 · analyzed Apr 23, 2026 Full analysis →
github STUB
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-42208

The repository contains only a minimal README with the CVE identifier and no functional exploit code or technical details. It appears to be a placeholder or stub.

Classification
Stub 95%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed May 03, 2026 Full analysis →

References (2)

Core 2
Core References

Scores

CVSS v3 8.9
EPSS 0.0002
EPSS Percentile 6.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-345 CWE-434 CWE-79
Status published
Products (2)
gitroom/postiz < 2.21.6
gitroomhq/postiz-app < 2.21.6
Published Apr 18, 2026
Tracked Since Apr 18, 2026