Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-42298: Postiz Docker Image Build Allows Unauthenticated Code Execution
CVE-2026-42298
Summary
An attacker can create a malicious Docker image that executes code without needing a password. This could allow them to access sensitive information. To protect against this, ensure that you have the latest version of Postiz, which includes a fix for this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| gitroom | postiz |
< 2.21.7 cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:* |
Original title
Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows...
Original description
Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801.
nvd CVSS3.1
10.0
Vulnerability type
CWE-94
Code Injection
Published: 8 May 2026 · Updated: 1 Jun 2026 · First seen: 8 May 2026