CVE-2026-34577HIGH 8.6EPSS p37.2%

CVE-2026-34577CVE-2026-34577

Description

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by appending .mp4 as a query parameter value or URL fragment. The endpoint requires no authentication and has no SSRF protections, allowing an unauthenticated attacker to read responses from internal services, cloud metadata endpoints, and other network-internal resources. This issue has been patched in version 2.21.3.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS0.47% probability of exploitation · percentile 37.2% · 2026-06-19T12:03:05Z
Published2026-04-02
Last modified2026-04-07

Underlying weaknesses· 1

CWE-918

References

  1. https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3
  2. https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-mv6h-v3jg-g539

1

TypeTargetConfidenceTier
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-40168
CVE
CVE-2025-53641
CVE
CVE-2026-40487
CVE
CVE-2026-42556
CVE
CVE-2026-42298
CVE
CVE-2026-44335
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.