CVE-2026-42346

Published: Mag 09, 2026 Last Modified: Mag 09, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,5
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: low
Availability: none

Description

AI Translation Available

Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4–v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7.

918

Server-Side Request Forgery (SSRF)

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control
Potential Impacts:
Read Application Data Execute Unauthorized Code Or Commands Bypass Protection Mechanism
Applicable Platforms
Technologies: AI/ML, Web Based, Web Server
View CWE Details
https://github.com/gitroomhq/postiz-app/commit/071143dcb01c…
https://github.com/gitroomhq/postiz-app/commit/071143dcb01cdeb9d5d7019892f4c6ff…
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7
https://github.com/gitroomhq/postiz-app/security/advisories…
https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-f7jj-p389-4w45