{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40487", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.114Z", "datePublished": "2026-04-18T01:19:06.588Z", "dateUpdated": "2026-04-20T15:25:40.893Z"}, "containers": {"cna": {"title": "Postiz Has Unrestricted File Upload via MIME Type Spoofing that Leads to Stored XSS", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-44wg-r34q-hvfx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-44wg-r34q-hvfx"}, {"name": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.6"}], "affected": [{"vendor": "gitroomhq", "product": "postiz-app", "versions": [{"version": "< 2.21.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T01:19:06.588Z"}, "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a Content-Type derived from their original extension (`text/html`, `image/svg+xml`), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can lead to session riding, account takeover, and full compromise of other users' accounts. Version 2.21.6 contains a fix."}], "source": {"advisory": "GHSA-44wg-r34q-hvfx", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-44wg-r34q-hvfx", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T15:25:37.579242Z", "id": "CVE-2026-40487", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:25:40.893Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40487", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T15:25:37.579242Z"}}}], "references": [{"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-44wg-r34q-hvfx", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:25:17.386Z"}}], "cna": {"title": "Postiz Has Unrestricted File Upload via MIME Type Spoofing that Leads to Stored XSS", "source": {"advisory": "GHSA-44wg-r34q-hvfx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gitroomhq", "product": "postiz-app", "versions": [{"status": "affected", "version": "< 2.21.6"}]}], "references": [{"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-44wg-r34q-hvfx", "name": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-44wg-r34q-hvfx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.6", "name": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a Content-Type derived from their original extension (`text/html`, `image/svg+xml`), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can lead to session riding, account takeover, and full compromise of other users' accounts. Version 2.21.6 contains a fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T01:19:06.588Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40487", "state": "PUBLISHED", "dateUpdated": "2026-04-20T15:25:40.893Z", "dateReserved": "2026-04-13T19:50:42.114Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-18T01:19:06.588Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5AA1AE0-803D-40DD-9D8B-4B166691D8B9", "versionEndExcluding": "2.21.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a Content-Type derived from their original extension (`text/html`, `image/svg+xml`), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can lead to session riding, account takeover, and full compromise of other users' accounts. Version 2.21.6 contains a fix."}], "id": "CVE-2026-40487", "lastModified": "2026-04-23T15:27:22.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-18T02:16:11.670", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-44wg-r34q-hvfx"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-44wg-r34q-hvfx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-345"}, {"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.21.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "postiz-app", "source": "cna", "vendor": "gitroomhq"}, "product": "postiz-app", "vendor": "gitroomhq"}], "analysis": {"en": {"generated_at": "2026-04-18T17:03:00.984021+00:00", "value": {"mitigation_remediation": ["Update Postiz to version 2.21.6 or later to apply the vendor fix.", "If an upgrade cannot be performed immediately, enforce strict MIME type validation on the upload endpoint, permitting only whitelisted safe file types.", "Configure nginx to serve uploaded files with safe content types and add X\u2011Content\u2011Type\u2011Options and X\u2011XSS\u2011Protection headers to reduce the risk of stored XSS."], "summary": {"action": "Immediate Patch", "impact": "Stored XSS leading to account takeover"}, "threat_synthesis": {"affected_systems": "The vendor affecting this vulnerability is GitRoom HQ\u2019s Postiz application. All releases before version 2.21.6 are impacted, while version 2.21.6 and later contain the remediation.\n", "description_and_impact": "Postiz, an AI social media scheduling tool, contains a file upload validation bypass that allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types by spoofing the Content\u2011Type header. The server then serves those files with MIME types derived from the original extension (text/html, image/svg+xml), allowing Stored Cross\u2011Site Scripting within the application\u2019s origin. This flaw can be exploited to ride user sessions, takeover accounts, and fully compromise other users' accounts.\n", "risk_and_exploitability": "The CVSS score of 8.9 indicates a high\u2011severity flaw. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is an authenticated web user exploiting the file\u2011upload endpoint; once an attacker uploads a malicious file, it is served back and executed in privileged browser contexts. The combination of high severity, authenticated access requirement, and lack of detection pushes this vulnerability to high risk for any organization running vulnerable Postiz instances."}}}}, "created": "2026-04-18T17:15:05.773396+00:00", "updated": "2026-04-20T14:58:55.298230+00:00", "vendors": ["gitroomhq", "gitroomhq$PRODUCT$postiz-app"]}