Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.9
Postiz AI Scheduling Tool: File Upload Bypass Allows Malicious Files
CVE-2026-40487
Summary
Authenticated users can upload malicious files to the Postiz server, potentially allowing an attacker to take control of other users' accounts. This is a security risk because it can lead to account takeover and other malicious activities. Update to version 2.21.6 to fix this issue.
Original title
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to...
Original description
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a Content-Type derived from their original extension (`text/html`, `image/svg+xml`), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can lead to session riding, account takeover, and full compromise of other users' accounts. Version 2.21.6 contains a fix.
nvd CVSS3.1
8.9
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
CWE-345
CWE-434
Unrestricted File Upload
Published: 18 Apr 2026 · Updated: 18 Apr 2026 · First seen: 18 Apr 2026