Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-42346

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-08 May, 2026 | 22:26
Updated At-08 May, 2026 | 22:26
Rejected At-
Credits

Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validation paths

Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4–v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:08 May, 2026 | 22:26
Updated At:08 May, 2026 | 22:26
Rejected At:
▼CVE Numbering Authority (CNA)
Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validation paths

Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4–v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7.

Affected Products
Vendor
gitroomhq
Product
postiz-app
Versions
Affected
  • >= 2.16.6, < 2.21.7
Problem Types
TypeCWE IDDescription
CWECWE-918CWE-918: Server-Side Request Forgery (SSRF)
Type: CWE
CWE ID: CWE-918
Description: CWE-918: Server-Side Request Forgery (SSRF)
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-f7jj-p389-4w45
x_refsource_CONFIRM
https://github.com/gitroomhq/postiz-app/commit/071143dcb01cdeb9d5d7019892f4c6ff7b19dbeb
x_refsource_MISC
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7
x_refsource_MISC
Hyperlink: https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-f7jj-p389-4w45
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/gitroomhq/postiz-app/commit/071143dcb01cdeb9d5d7019892f4c6ff7b19dbeb
Resource:
x_refsource_MISC
Hyperlink: https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7
Resource:
x_refsource_MISC
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:08 May, 2026 | 23:16
Updated At:08 May, 2026 | 23:16

Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4–v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-918Primarysecurity-advisories@github.com
CWE ID: CWE-918
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/gitroomhq/postiz-app/commit/071143dcb01cdeb9d5d7019892f4c6ff7b19dbebsecurity-advisories@github.com
N/A
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7security-advisories@github.com
N/A
https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-f7jj-p389-4w45security-advisories@github.com
N/A
Hyperlink: https://github.com/gitroomhq/postiz-app/commit/071143dcb01cdeb9d5d7019892f4c6ff7b19dbeb
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-f7jj-p389-4w45
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

12Records found
CVE-2026-40168
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.06% / 17.28%
||
7 Day CHG~0.00%
Published-10 Apr, 2026 | 19:20
Updated-14 Apr, 2026 | 20:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Postiz has Server-Side Request Forgery via Redirect Bypass in /api/public/stream

Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource.

Action-Not Available
Vendor-gitroomgitroomhq
Product-postizpostiz-app
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-34590
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 11.82%
||
7 Day CHG~0.00%
Published-02 Apr, 2026 | 17:26
Updated-07 Apr, 2026 | 21:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Postiz: SSRF via Webhook Creation Endpoint Missing URL Safety Validation

Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4.

Action-Not Available
Vendor-gitroomgitroomhq
Product-postizpostiz-app
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-34576
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.3||HIGH
EPSS-0.04% / 12.20%
||
7 Day CHG+0.01%
Published-02 Apr, 2026 | 17:23
Updated-07 Apr, 2026 | 21:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Postiz: SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) which is trivially bypassed by appending an image extension to any URL path. An authenticated API user can fetch internal network resources, cloud instance metadata, and other internal services, with the response data uploaded to storage and returned to the attacker. This issue has been patched in version 2.21.3.

Action-Not Available
Vendor-gitroomgitroomhq
Product-postizpostiz-app
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-34577
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-0.11% / 29.74%
||
7 Day CHG+0.01%
Published-02 Apr, 2026 | 17:24
Updated-07 Apr, 2026 | 21:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Postiz: Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3.

Action-Not Available
Vendor-gitroomgitroomhq
Product-postizpostiz-app
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-53641
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.26% / 49.06%
||
7 Day CHG+0.19%
Published-11 Jul, 2025 | 17:28
Updated-15 Jul, 2025 | 13:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Postiz allows header mutation in middleware facilitates resulting in SSRF

Postiz is an AI social media scheduling tool. From 1.45.1 to 1.62.3, the Postiz frontend application allows an attacker to inject arbitrary HTTP headers into the middleware pipeline. This flaw enables a server-side request forgery (SSRF) condition, which can be exploited to initiate unauthorized outbound requests from the server hosting the Postiz application. This vulnerability is fixed in 1.62.3.

Action-Not Available
Vendor-gitroomhq
Product-postiz-app
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-29454
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 47.59%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 00:00
Updated-22 Apr, 2025 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the Upload function.

Action-Not Available
Vendor-personal-management-systemn/a
Product-personal_management_systemn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-29450
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 47.59%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 00:00
Updated-21 Apr, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in twonav v.2.1.18-20241105 allows a remote attacker to obtain sensitive information via the site settings component.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-29453
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 47.59%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 00:00
Updated-22 Apr, 2025 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the my-contacts-settings component.

Action-Not Available
Vendor-personal-management-systemn/a
Product-personal_management_systemn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-29449
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 47.59%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 00:00
Updated-25 Apr, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in twonav v.2.1.18-20241105 allows a remote attacker to obtain sensitive information via the link identification function.

Action-Not Available
Vendor-lm21n/a
Product-twonavn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-29455
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 47.59%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 00:00
Updated-22 Apr, 2025 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the Travel Ideas" function.

Action-Not Available
Vendor-personal-management-systemn/a
Product-personal_management_systemn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-29456
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 47.59%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 00:00
Updated-22 Apr, 2025 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the create Notes function.

Action-Not Available
Vendor-personal-management-systemn/a
Product-personal_management_systemn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-57822
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-6.48% / 91.15%
||
7 Day CHG~0.00%
Published-29 Aug, 2025 | 21:33
Updated-08 Sep, 2025 | 16:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Next.js Improper Middleware Redirect Handling Leads to SSRF

Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

Action-Not Available
Vendor-vercelvercel
Product-next.jsnext.js
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
Details not found