CVE-2026-40487
Received Received - Intake

Stored XSS via File Upload Validation Bypass in Postiz

Vulnerability report for CVE-2026-40487, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-18

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description

Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a Content-Type derived from their original extension (`text/html`, `image/svg+xml`), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can lead to session riding, account takeover, and full compromise of other users' accounts. Version 2.21.6 contains a fix.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-18
Last Modified
2026-04-23
Generated
2026-07-06
AI Q&A
2026-04-18
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gitroom postiz to 2.21.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Postiz, an AI social media scheduling tool, prior to version 2.21.6. It allows any authenticated user to bypass file upload validation by spoofing the Content-Type header. As a result, the user can upload arbitrary HTML, SVG, or other executable file types to the server.

The uploaded files are served by nginx with a Content-Type based on their original file extension, such as text/html or image/svg+xml. This behavior enables Stored Cross-Site Scripting (XSS) attacks within the context of the application's origin.

Impact Analysis

The vulnerability can lead to serious security impacts including session riding, account takeover, and full compromise of other users' accounts. Because the malicious files are served as executable content, attackers can execute scripts in the context of the application, potentially stealing sensitive information or performing unauthorized actions.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Postiz to version 2.21.6 or later, where the file upload validation bypass has been fixed.

Compliance Impact

The vulnerability allows authenticated users to upload arbitrary executable files, leading to Stored Cross-Site Scripting (XSS) attacks that can result in session riding, account takeover, and full compromise of other users' accounts.

Such security issues can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and secure handling of personal information to prevent unauthorized access and data breaches.

However, the provided information does not explicitly describe the direct effects on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40487. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart