cvedb.io
CVE-2026-40168
HIGH · CVSS 8.2
EPSS exploitation probability: 0%
Published 2026-04-10T20:16:22.643 · Last modified 2026-06-17T10:44:48.413

Summary

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource.

Affected products

gitroom — postiz

Does this affect you?

Add your gear to cvedb and we'll alert you only when gitroom ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.