Postiz App

Unauthenticated arbitrary lifetime PRO grant via Nowpayments webhook

Unauthenticated billing-enforcement bypass via /public/modify-subscription

SUPERADMIN takeover via Skool-provider JWT forgery

Attackers can exploit the skool-provider JWT sign process to generate a JWT token with isSuperAdmin: true

TOCTOU DNS rebinding bypasses all SSRF URL validation paths

TOCTOU DNS rebinding bypasses all SSRF URL validation paths

Postiz stored XSS in public preview page

Postiz stored XSS in public preview page

Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev

Server-Side Request Forgery via Redirect Bypass in /api/public/stream

Server-Side Request Forgery via Redirect Bypass in /api/public/stream

Unrestricted File Upload via MIME Type Spoofing Leads to Stored XSS

Unrestricted File Upload via MIME Type Spoofing Leads to Stored XSS

SSRF via Webhook Creation Endpoint Missing URL Safety Validation

SSRF via Webhook Creation Endpoint Missing URL Safety Validation

SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata

SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata

Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check

Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check

High-Severity SSRF in Postiz App

High-Severity SSRF in Postiz App

Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader (CWE-918)

Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader (CWE-918)

Header mutation in middleware facilitates SSRF

Header mutation in middleware facilitates SSRF