Description
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a Content-Type derived from their original extension (`text/html`, `image/svg+xml`), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can lead to session riding, account takeover, and full compromise of other users' accounts. Version 2.21.6 contains a fix.
Published: 2026-04-18
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS leading to account takeover
Action: Immediate Patch
AI Analysis

Impact

Postiz, an AI social media scheduling tool, contains a file upload validation bypass that allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types by spoofing the Content‑Type header. The server then serves those files with MIME types derived from the original extension (text/html, image/svg+xml), allowing Stored Cross‑Site Scripting within the application’s origin. This flaw can be exploited to ride user sessions, takeover accounts, and fully compromise other users' accounts.

Affected Systems

The vendor affecting this vulnerability is GitRoom HQ’s Postiz application. All releases before version 2.21.6 are impacted, while version 2.21.6 and later contain the remediation.

Risk and Exploitability

The CVSS score of 8.9 indicates a high‑severity flaw. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an authenticated web user exploiting the file‑upload endpoint; once an attacker uploads a malicious file, it is served back and executed in privileged browser contexts. The combination of high severity, authenticated access requirement, and lack of detection pushes this vulnerability to high risk for any organization running vulnerable Postiz instances.

Generated by OpenCVE AI on April 18, 2026 at 17:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Postiz to version 2.21.6 or later to apply the vendor fix.
  • If an upgrade cannot be performed immediately, enforce strict MIME type validation on the upload endpoint, permitting only whitelisted safe file types.
  • Configure nginx to serve uploaded files with safe content types and add X‑Content‑Type‑Options and X‑XSS‑Protection headers to reduce the risk of stored XSS.

Generated by OpenCVE AI on April 18, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a Content-Type derived from their original extension (`text/html`, `image/svg+xml`), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can lead to session riding, account takeover, and full compromise of other users' accounts. Version 2.21.6 contains a fix.
Title Postiz Has Unrestricted File Upload via MIME Type Spoofing that Leads to Stored XSS
Weaknesses CWE-345
CWE-434
CWE-79
References
Metrics cvssV3_1

{'score': 8.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-18T01:19:06.588Z

Reserved: 2026-04-13T19:50:42.114Z

Link: CVE-2026-40487

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T02:16:11.670

Modified: 2026-04-18T02:16:11.670

Link: CVE-2026-40487

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:15:05Z

Weaknesses