CVE-2026-40487
🟡 Monitoruj
Obejście walidacji przesyłania plików w Postiz umożliwia zdalne wykonanie XSS i przejęcie kont.
CVSS
8.9
EPSS
0.0%
Exploit
none
Vendor
Opis źródłowy (NVD)
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a Content-Type derived from their original extension (`text/html`, `image/svg+xml`), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can lead to session riding, account takeover, and full compromise of other users' accounts. Version 2.21.6 contains a fix.
xss
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 8.9 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-04-18 02:16:11 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-20 19:03:07 UTC |
Referencje
- https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.6 (security-advisories@github.com)
- https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-44wg-r34q-hvfx (security-advisories@github.com)