Description
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a Content-Type derived from their original extension (`text/html`, `image/svg+xml`), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can lead to session riding, account takeover, and full compromise of other users' accounts. Version 2.21.6 contains a fix.
Published: 2026-04-18
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS leading to account takeover
Action: Immediate Patch
AI Analysis

Impact

Postiz, an AI social media scheduling tool, contains a file upload validation bypass that allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types by spoofing the Content‑Type header. The server then serves those files with MIME types derived from the original extension (text/html, image/svg+xml), allowing Stored Cross‑Site Scripting within the application’s origin. This flaw can be exploited to ride user sessions, takeover accounts, and fully compromise other users' accounts.

Affected Systems

The vendor affecting this vulnerability is GitRoom HQ’s Postiz application. All releases before version 2.21.6 are impacted, while version 2.21.6 and later contain the remediation.

Risk and Exploitability

The CVSS score of 8.9 indicates a high‑severity flaw. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an authenticated web user exploiting the file‑upload endpoint; once an attacker uploads a malicious file, it is served back and executed in privileged browser contexts. The combination of high severity, authenticated access requirement, and lack of detection pushes this vulnerability to high risk for any organization running vulnerable Postiz instances.

Generated by OpenCVE AI on April 18, 2026 at 17:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Postiz to version 2.21.6 or later to apply the vendor fix.
  • If an upgrade cannot be performed immediately, enforce strict MIME type validation on the upload endpoint, permitting only whitelisted safe file types.
  • Configure nginx to serve uploaded files with safe content types and add X‑Content‑Type‑Options and X‑XSS‑Protection headers to reduce the risk of stored XSS.

Generated by OpenCVE AI on April 18, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Gitroom
Gitroom postiz
CPEs cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:*
Vendors & Products Gitroom
Gitroom postiz

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Gitroomhq
Gitroomhq postiz-app
Vendors & Products Gitroomhq
Gitroomhq postiz-app

Sat, 18 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a Content-Type derived from their original extension (`text/html`, `image/svg+xml`), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can lead to session riding, account takeover, and full compromise of other users' accounts. Version 2.21.6 contains a fix.
Title Postiz Has Unrestricted File Upload via MIME Type Spoofing that Leads to Stored XSS
Weaknesses CWE-345
CWE-434
CWE-79
References
Metrics cvssV3_1

{'score': 8.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L'}

Subscriptions

Gitroom Postiz
Gitroomhq Postiz-app
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T15:25:40.893Z

Reserved: 2026-04-13T19:50:42.114Z

Link: CVE-2026-40487

cve-icon Vulnrichment

Updated: 2026-04-20T15:25:17.386Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-18T02:16:11.670

Modified: 2026-04-23T15:27:22.400

Link: CVE-2026-40487

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:58:55Z

Weaknesses