Postiz App

/gitroomhq/postiz/postiz-app

PublicReport a vulnerability

Published advisories

PSA-2026-04-M1S02026-04-28
TOCTOU DNS rebinding bypasses all SSRF URL validation paths
TOCTOU DNS rebinding bypasses all SSRF URL validation paths
Medium
PSA-2026-T0E4W02026-04-27
Postiz stored XSS in public preview page
Postiz stored XSS in public preview page
High
PSA-2026-04-1YDY2026-04-24
Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev
Critical
PSA-2026-04-6EZ52026-04-22
Server-Side Request Forgery via Redirect Bypass in /api/public/stream
Server-Side Request Forgery via Redirect Bypass in /api/public/stream
High
PSA-2026-04-5MVG2026-04-19
Unrestricted File Upload via MIME Type Spoofing Leads to Stored XSS
Unrestricted File Upload via MIME Type Spoofing Leads to Stored XSS
Critical
PSA-2026-04-HVBM2026-04-19
SSRF via Webhook Creation Endpoint Missing URL Safety Validation
SSRF via Webhook Creation Endpoint Missing URL Safety Validation
Medium
PSA-2026-04-KT4W2026-04-19
SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata
SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata
Medium
PSA-2026-04-422G2026-04-19
Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check
Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check
High
PSA-2026-04-SRGA2026-04-19
High-Severity SSRF in Postiz App
High-Severity SSRF in Postiz App
High
PSA-2026-04-ZR1M2026-04-19
Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader (CWE-918)
Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader (CWE-918)
High
PSA-2026-04-PY6V2026-04-19
Header mutation in middleware facilitates SSRF
Header mutation in middleware facilitates SSRF
High