Postiz patched unauthenticated SSRF flaws in public stream endpoints
Postiz, an AI social media scheduling tool, patched two server-side request forgery vulnerabilities affecting its public stream functionality. CVE-2026-34577 exposed an unauthenticated flaw in GET /public/stream, where a user-controlled url parameter could cause the server to fetch and return the full HTTP response to the requester. The endpoint relied on an extension check requiring the URL to end in mp4, but that validation could be trivially bypassed, enabling access to internal services, cloud metadata endpoints, and other internal network resources. The issue was fixed in version 2.21.3 and assigned CWE-918.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Postiz releases version 2.21.5 to fix redirect bypass SSRF
Postiz addressed CVE-2026-40168 in version 2.21.5, fixing an SSRF vulnerability present in versions prior to 2.21.5. References for the disclosure include a fixing commit, the v2.21.5 release, and a GitHub security advisory.
GitHub receives report of redirect-based SSRF in Postiz
A second SSRF issue, CVE-2026-40168, was received by security-advisories@github.com on April 10, 2026. The flaw in /api/public/stream allowed attackers to supply a validated public HTTPS URL that redirected to an internal resource because the final destination was not re-validated after redirects.
Postiz patches unauthenticated full-read SSRF in version 2.21.3
Postiz fixed CVE-2026-34577, an unauthenticated SSRF flaw in the GET /public/stream endpoint that could proxy full HTTP responses from internal services and cloud metadata endpoints. The issue affected versions before 2.21.3 and relied on a trivially bypassable check that only verified whether the supplied URL ended with 'mp4'.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-40168 - Postiz has Server-Side Request Forgery via Redirect Bypass in /api/public/stream
cvefeed.io
Open sourceCVE-2026-34577 - Postiz: Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical JWT Forgery Flaw in Postiz Enables SUPERADMIN Takeover
A critical vulnerability in **Postiz** allows any authenticated user to escalate privileges to **SUPERADMIN** by forging JWTs through the application's **Skool integration callback**. Tracked as **`CVE-2026-48781`** and **`GHSA-j77w-h625-56q2`**, the flaw stems from attacker-controlled JSON being signed into a session-like token with the application's `JWT_SECRET`, while authentication logic trusted the token's claims without reloading the user record from the database. The bug affects Postiz versions prior to **`2.21.8`** and enables cross-tenant takeover, arbitrary organization impersonation, full access across the affected instance, exposure of all registered users, and the ability to post through victims' connected social media accounts. The issue is rated **CVSS 9.9 (Critical)**, was verified and patched by the vendor, and defenders are advised to upgrade to **`2.21.8`**, rotate JWT secrets if compromise is suspected, and review logs for impersonation or unauthorized access activity.
Jun 29, 2026
SSRF in Saloon PHP and Auth Model Leak in AVideo Expose Sensitive Data
Two newly disclosed vulnerabilities expose sensitive information in widely used web application components. **CVE-2026-33182** affects **Saloon PHP** and allows unauthenticated, network-based **server-side request forgery (SSRF)** that can leak API credentials and session tokens, potentially granting attackers access to integrated third-party services and enabling misuse of those external environments. The issue carries a **CVSS 4.0 score of 6.6** and is described as a high-confidentiality-impact flaw, with the host application's local database remaining intact even as connected systems may be exposed. A separate issue, **CVE-2026-33501**, affects the **WWBN AVideo Permissions Plugin** and discloses an application's internal authorization model by revealing mappings between user groups and specific plugins. Although rated lower at **CVSS v3.1 5.3** and not associated with credential or personally identifiable information exposure, the flaw provides valuable reconnaissance that can help attackers identify privileged roles, map the attack surface, and support follow-on privilege escalation attempts against vulnerable authenticated extensions.
Jun 29, 2026
Multiple Critical AVideo Flaws Enable Takeover, Session Hijacking, and SSRF
WWBN **AVideo** was found to contain multiple high-severity vulnerabilities that can let attackers seize control of deployments, hijack user sessions, and access internal network resources. On uninitialized instances running version **25.0 or earlier**, `install/checkConfiguration.php` could be abused without authentication to complete setup, create an administrator account, and write configuration files, enabling full application takeover under **CVE-2026-33038**. Separate insecure defaults in the official Docker deployment path, tracked as **CVE-2026-33037**, left new installations exposed to immediate administrative compromise because the admin password defaulted to **"password"** and database credentials defaulted to `avideo/avideo`, with no forced password change or effective hardening. AVideo also exposed users and infrastructure through web-facing flaws in session handling and URL fetching. Under **CVE-2026-33043**, `/objects/phpsessionid.json.php` disclosed active PHP session IDs to unauthenticated requests, and permissive CORS behavior could allow cross-origin session theft and account takeover. Two SSRF issues affected the unauthenticated `plugin/LiveLinks/proxy.php` endpoint: **CVE-2026-33039** allowed redirect-based bypass of URL safety checks in version **25.0 and earlier**, while **CVE-2026-33480** showed that `isSSRFSafeURL()` could also be bypassed with IPv4-mapped IPv6 addresses, extending exposure through version **26.0** and enabling access to localhost, RFC1918 networks, and cloud metadata services. WWBN issued fixes in **AVideo 26.0** for most of the disclosed flaws, with an additional patch published for the IPv6-based SSRF bypass.
Jun 29, 2026